How to protect your WordPress website with WPBruiser

How to protect your WordPress website with WPBruiser

This article would probably not have been written, if it wasn’t for the major attacks on World of WordPress the minute I moved to another membership plugin. Never before I got better proof that security is a major issue.

The dangers

Any WordPress website with a possibility for users to register and login can and probably will be targeted by brute force attacks, enumeration attacks, DDOS attacks and more. Also contact forms and other front end forms can be misused.

All these dangers can hurt your website. From flooding it with spam users to completely break down your website. You won’t see them coming, but you will know when they are there!

Prevent and protect

It can’t be said enough: protect your website! Take all the precautions necessary for your type of website. Some of these precautions are DIY. For more profound protection, you will have to use a plugin.

What triggered me to search for the necessary protection, was what happened with World of WordPress the moment I switched to another membership plugin, Ultimate Member. Within five (!) minutes the first ghost registration took place. Within 10 minutes I had four more! Despite the fact users have to activate their account after registration by clicking on the link in the email they receive. One of these users even got as far as submitting a post, which is only possible when logged in.

Usually, a membership plugin doesn’t use the standard WordPress registration, login and password reset form. Some of them have extensions like (Re)captcha, honeypot or other protection for these forms. Of course, the plugin I chose doesn’t do that for free. Ten minutes of searching led me to WPBruiser. This plugin has specific Ultimate Member protection built in. It took two minutes to install and configure the plugin, with immediate results!

The plugin WPBruiser

Protection against various sorts of attacks is necessary. Although World of WordPress is also protected by Cloudflare and a very good webhost, many attackers seem to get through. Because of the specific Ultimate Member protection, I decided to go for WPBruiser. For all the features and protection, check out their page on WordPress.org!

You can install WPBruiser like any other plugin. You can download it from WordPress.org or via Plugins => Add new and search for, install and activate the plugin. Go to the Settings page after activation and set up the plugin to your needs.

Settings

Let walk through the settings. This is the basic, free plugin. You can always extend the functionality by buying the extension(s) you need.

General settings

Set these as you wish. You can choose for the Test mode to test all your settings. You should turn it off as soon as your are satisfied with the settings!

Security

Check all the boxes for maximum security. On this tab, you can manually white list and black list IP addresses and ranges. Be careful not to lock yourself out!

WordPress

On the WordPress tab you can set the standard WordPress functionality protection.

Contact forms

The free version of WPBruiser supports a few contact forms. If you use one of them, you can enable the protection here. Other popular contact forms, like Contact Form 7 and Ninja Forms, can be supported by buying the extension.

Membership

This free version of WPBruiser supports three membership plugins. World of WordPress uses Ultimate Member. That is why the options are checked. Other membership plugins are supported with extensions.

Others

The tab Others has a few other plugins that can be protected with WPBruiser

Notifications

Select the notifications you’d like to receive in your mailbox.

Extensions

WPBruiser has a lot of extensions you can add to the plugin. These are all paid extensions.

Reports

Finally the tab Reports.

The Reports tab gives a general and a detailed view of what’s happening. All invalid attempts to register or log in are logged. As you can see on the graphic, a lot of attempts are made on World of WordPress, day in, day out. You can view the blocked content and block the IP address.

Conclusion

After switching to another membership plugin, I really needed a protection plugin to protect the new forms I started to use. During the implementation of the new membership plugin I had lots of ghost registrations within minutes! Installing and configuring the plugin was very easy, and with immediate results. I never had any ghost registration.

As the reports show, this plugin blocks a lot of login and register attempts made by bots. I don’t know why they target World of WordPress (or maybe the plugin Ultimate Members), but what I do know is that WPBruiser does what it claims: block all bots!

Ronald Heijnes

Since 2008 I keep myself busy with the functionality, management, maintenance and performance of self hosted WordPress. I like to share this knowledge. All in my spare time!

Leave a Reply

avatar
  Subscribe  
Notify of
Close Menu