It’s been one week since we released our plugin Project Force Field on the WordPress plugin directory, and things couldn’t be going smoother! The plugin was downloaded over 100 times, received 6 five-star reviews and 2 four-star reviews. On the Orion Group servers alone, Project Force Field has blocked nearly 3,000 brute force login attempts in the past 24 hours! So Project Force Field is doing its job well and more people are starting to enjoy the benefits. But how does it work?

How Does Project Force Field Work?

After having witnessed many brute force attacks, Jon (our server administrator) noticed that the attacks always went straight to sending login requests to wp-login.php. Out-of-the-box, WordPress always has a login page at wp-login.php. So-called hackers count on this and send hundreds of login attempts until they succeed or run out of guesses.

Project Force Field takes advantage of this assumption and blocks all access to wp-login.php, malicious or not, using Apache’s mod_rewrite module. We use the mod_rewrite module for a couple of reasons. First, because we host our WordPress websites on Apache servers. Second, because mod_rewrite rules allow us to deny a request without executing any PHP. The latter reason is the most important. Every time someone visits the login page WordPress is loaded, the PHP is executed, and the database is accessed. If someone visits your login page over 100 times a minute, you can start to run out of server resources fast!

So the benefits are twofold: brute force attacks are denied and you save loads of server resources!

If wp-login.php is Blocked, How do I Log in?

Since wp-login.php is blocked for everyone, regardless of intent, you won’t be able to log in there. Luckily there’s a way for you to get around this! On all WordPress sites, if you go to /wp-admin/ and aren’t logged in, WordPress will redirect you to the login page. Project Force Field uses WordPress hooks to modify the login redirect and point you to the new login page, allowing you to login the same you you always have.

Where Do I Get Project Force Field?

Project Force Field is hosted in the WordPress Plugin Directory and by installing it from WordPress.org, you will be able to easily update to the newest versions. So install Project Force Field and start shielding your site from brute force attacks today!

Project Force Field's WordPress Plugin Banner

One thought on “How Project Force Field Protects WordPress from Brute Force Attacks

  1. A quick update: On the Orion Group servers, Project Force Field has blocked over 20,000 malicious login attempts since 6:30 am!

Comments are closed.