Basic protection from constant login attempts

Hi @tancredi, thanks for getting in touch.

I can’t discuss the Premium version of the plugin as per the www.ads-software.com forum guidelines, but the comments and login attempts you’re seeing should be manageable with the free version.

Comment spam through XML-RPC is common, so disabling it (if you’re able to) is always the best place to start. Restrict XML-RPC by checking the “Disable XML-RPC authentication” checkbox in Wordfence > Login Security > Settings to prevent authentication attempts through that file.

If you’re not using Jetpack or the WordPress app, you could try disabling access to this route altogether via your .htaccess file with:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

For fraudulent login attempts, Wordfence will still log these when preventing them, so don’t necessarily consider a high number of attempts an occasion when Wordfence isn’t working. However, your main lines of defence are reCAPTCHA, 2FA and your Brute Force settings. I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period.

If Wordfence > All Options > Brute Force > Amount of time a user is locked out and Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule? are set to low timescales such as minutes or hours, a sustained amount of attempts may get through a few times before being blocked again. You can try increasing these to days or months if you prefer, but we generally recommend around 30 minutes to prevent issues for legitimate site visitors who’ve found themselves blocked by mistake. Make sure the Brute Force and Rate Limiting toggles are set to ON for these rules to work.

Thanks,
Peter.

Hi @wfpeter Thank you for your informative reply.
For now I’ve set it up for both commenting spam and login attempts the way you mentioned via the wordfence dashboard.
Hopefully, this will be “enough” for the time being.
I’lll keep watch on the situation and check whether it is worth implementing some other strategy or tool as you suggested.
I had previously limited bad bots traffic via .htaccess not sure wordfence has tools for that or how to set those up.
Just wondering, is the 2FA preventing/blocking the login fraudulent attempts as they happen when enabled?
Can I enable it myself as admin for all the other users (authors/editors) on the website?

Hi @tancredi, thanks for getting back to me.

2FA will come into play should a correct username/password be attempted, so other attempts where the initial credentials are wrong will still be blocked prior to 2FA.

You can enable it for admins only if you wish, although the Wordfence > Login Security > Settings page lets you pick a required/optional status for other user levels too. Make sure to pick a reasonable grace period if you opt for “required” otherwise all existing users without a 2FA code will be locked out.

You can find more information and a helpful video here: https://www.wordfence.com/help/tools/two-factor-authentication/

Thanks again,
Peter.

Thank you for coming back @wfpeter
I’ve enabled the tools and set it up as you advised in your first reply, however, I’m still getting the spam comments and the fraudulent login attempts, I can see those from another plugin called “simple history”.
Is there a way to block those for good?

Hi @wfpeter
So basically this plugin free version does nothing, am I correct?
I haven’t seen one benefit yet after installing it.
So please eventually if we purchase the premium, will we be able to block the spam comments and brute force login attempts or not?
Just wondering.