內容簡介
GuardGiant 是一款暴力破解防護外掛,透過信任裝置機制區分真實使用者與攻擊者,在有效阻擋惡意登入嘗試的同時,避免誤鎖合法用戶帳號,提供兼顧安全性與使用體驗的登入保護方案。
【主要功能】
• 信任裝置辨識,避免誤鎖真實使用者
• 未知裝置登入時自動寄送警示通知
• 多階段防禦:驗證碼、暫時封鎖、遞增等待
• 整合 Google ReCaptcha 阻擋自動化攻擊
• 完整登入歷史記錄,含地理位置與裝置資訊
• 所有防護行為皆可自訂,符合 GDPR 規範
外掛標籤
開發者團隊
② 後台搜尋「WordPress Brute Force Protection – Stop Brute Force Attacks」→ 直接安裝(推薦)
原文外掛簡介
The only plugin with 100% brute force protection that doesn’t lock out genuine users.
Brute Force Protection
This security plugin implements an approach used by large websites such as Facebook, Google etc.
When a genuine user makes a successful login to their account using their mobile phone, tablet, or computer GuardGiant starts treating their device as Trusted.
Failed login attempts from trusted devices are directed towards ‘Lost Password’ forms rather than being subject to account lockouts or additional counter measures.
Users receive an alert when anyone logs into their account from an unrecognized device or browser.
Stop Hackers
GuardGiant uses a range of strong counter-measures to limit login attempts from unrecognized devices. The default behaviour is:
After 3 failed login attempts from the same unrecognized device, a Google ReCaptcha field is added to the login page. ReCaptcha is a strong counter-measure that is very hard for an automated process to solve.
After 10 failed login attempts a temporary block of 2 minutes is applied to the device/IP address. No login attempts can be made during this time.
Each further failed login attempt increases the block time by another minute. This slows down attacks to the point where they quickly become unviable.
All behavior is fully customizable to achieve the level of brute force protection that you require.
Login History
A fully featured security log gives you visibility to login attempts on your site.
Provides geographic location, device type, IP address and more for each login attempt.
Filter login attempts by Trusted or Unrecognized devices.
Search by IP address or username.
Filter by successful or failed attempts.
Easy to display successful logins from unrecognized devices that could indicate a hacked account.
This login history log should form an essential part of your brute force login protection plan. GDPR compliant.
Other Login Security Improvements
This security plugin implements various improvements recommended by the Open Web Application Security Project® (OWASP) to keep your site safe:
Obfuscates login errors to stop hackers detecting valid account names.
Option to disable XMLRPC.
And much, much more.
This security plugin is exceptionally easy to use no matter what your level of technical expertise.
The default settings are highly optimized, designed to prevent brute force attacks whilst not disturbing genuine users from logging in. Advanced users can fully customize the behavior of this plugin to suit their own environment.
Login Security Plugin – Background Information
The most common threat that WordPress site owners face is a password guessing attack known as a brute force attack.
A brute force attack is where an attacker uses a brute force tool (or script) to discover your password by systematically trying every possible combination of letters, numbers, and symbols until the correct password is found. A brute force attack will always work eventually, but the problem for the brute force attacker is that it may take many years to do it.
Brute force prevention techniques focus on slowing down these attacks to the point where they become unviable.
Using long and complex passwords (that are not dictionary words) is a good brute force attack prevention method to start with. This greatly increases the time an attacker will need.
A common way to stop brute force attacks is to lock out the WordPress account after a defined number of failed authorization attempts (there are various brute force plugins that do this).
The problem with this approach is that the site administrator ends up with unhappy users who have been locked out, often needing manual intervention to regain access. This is not sustainable or desirable for sites of any size.
The modern approach to brute force prevention is to track the devices that genuine users use to log in, ensuring they are always treated kindly if they forget their password. Unrecognized devices face a progressive but temporary timed lockout.
Stop Brute Force Attacks
Periodic monitoring of your security audit log can help you stop brute force attacks.
Here are patterns that indicate a brute force attack or some other account abuse:
Failed login attempts using alphabetically sequential usernames or passwords
Multiple different usernames being used by the same IP address
Logins for a single account coming from many different IP addresses
Failed logins at a specific period e.g. every 5 minutes
