This article would probably not have been written, if it wasn’t for the major attacks on World of WordPress the minute I moved to another membership plugin. Never before I got better proof that security is a major issue.
Any WordPress website with a possibility for users to register and login can and probably will be targeted by brute force attacks, enumeration attacks, DDOS attacks and more. Also contact forms and other front end forms can be misused.
All these dangers can hurt your website. From flooding it with spam users to completely break down your website. You won’t see them coming, but you will know when they are there!
Prevent and protect
It can’t be said enough: protect your website! Take all the precautions necessary for your type of website. Some of these precautions are DIY. For more profound protection, you will have to use a plugin.
What triggered me to search for the necessary protection, was what happened with World of WordPress the moment I switched to another membership plugin, Ultimate Member. Within five (!) minutes the first ghost registration took place. Within 10 minutes I had four more! Despite the fact users have to activate their account after registration by clicking on the link in the email they receive. One of these users even got as far as submitting a post, which is only possible when logged in.
Usually, a membership plugin doesn’t use the standard WordPress registration, login and password reset form. Some of them have extensions like (Re)captcha, honeypot or other protection for these forms. Of course, the plugin I chose doesn’t do that for free. Ten minutes of searching led me to WPBruiser. This plugin has specific Ultimate Member protection built in. It took two minutes to install and configure the plugin, with immediate results!
The plugin WPBruiser
Protection against various sorts of attacks is necessary. Although World of WordPress is also protected by Cloudflare and a very good webhost, many attackers seem to get through. Because of the specific Ultimate Member protection, I decided to go for WPBruiser. For all the features and protection, check out their page on WordPress.org!
You can install WPBruiser like any other plugin. You can download it from WordPress.org or via Plugins => Add new and search for, install and activate the plugin. Go to the Settings page after activation and set up the plugin to your needs.
Let walk through the settings. This is the basic, free plugin. You can always extend the functionality by buying the extension(s) you need.
Set these as you wish. You can choose for the Test mode to test all your settings. You should turn it off as soon as your are satisfied with the settings!
Check all the boxes for maximum security. On this tab, you can manually white list and black list IP addresses and ranges. Be careful not to lock yourself out!
On the WordPress tab you can set the standard WordPress functionality protection.
The free version of WPBruiser supports a few contact forms. If you use one of them, you can enable the protection here. Other popular contact forms, like Contact Form 7 and Ninja Forms, can be supported by buying the extension.
This free version of WPBruiser supports three membership plugins. World of WordPress uses Ultimate Member. That is why the options are checked. Other membership plugins are supported with extensions.
The tab Others has a few other plugins that can be protected with WPBruiser
Select the notifications you’d like to receive in your mailbox.
WPBruiser has a lot of extensions you can add to the plugin. These are all paid extensions.
Finally the tab Reports.
The Reports tab gives a general and a detailed view of what’s happening. All invalid attempts to register or log in are logged. As you can see on the graphic, a lot of attempts are made on World of WordPress, day in, day out. You can view the blocked content and block the IP address.
After switching to another membership plugin, I really needed a protection plugin to protect the new forms I started to use. During the implementation of the new membership plugin I had lots of ghost registrations within minutes! Installing and configuring the plugin was very easy, and with immediate results. I never had any ghost registration.
As the reports show, this plugin blocks a lot of login and register attempts made by bots. I don’t know why they target World of WordPress (or maybe the plugin Ultimate Members), but what I do know is that WPBruiser does what it claims: block all bots!