• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Tips and Tricks HQ

  • Home
  • Projects
    • All Projects
    • Simple WP Shopping Cart
    • WP Express Checkout Plugin
    • Accept Stripe Payments
    • WP Download Monitor
    • Easy HTTPS Redirection
    • WP Security and Firewall Plugin
    • WP eStore Plugin
    • WP Affiliate Platform
    • WP eMember
  • Products
    • All Products
    • Checkout
  • Support
    • Support Portal
    • Customer Only Forum
    • WP eStore Documentation
    • WP Affiliate Software Documentation
    • WP eMember Documentation
  • Contact

All In One WP Security Plugin – Using the ‘Cookie Based Brute Force Login Attack’ Prevention Feature

Home » Blog » All In One WP Security Plugin – Using the ‘Cookie Based Brute Force Login Attack’ Prevention Feature

Last updated: September 17, 2013





The All In One WP Security & Firewall plugin by Tips and Tricks HQ is much more than just a protection tool for the all important htaccess and wp-config files.

Among other things, there are also some basic, intermediate and advanced firewall protection strategies that can be applied to the WordPress site. These features, when turned on, will add lines to the .htaccess file which is the first file that gets executed, ultimately stopping hackers before reaching the WordPress site files.

User Login Safety Features of the Plugin

The plugin includes features that help prevent logins from hackers and malicious scripts. A Brute Force Login Attack is one such way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that he/she/it knows the username. This can be done manually or with a script.

To prevent such attacks, not using the default “admin” user name for the Administrator account is key. Also, making sure the setting which displays the author’s name for posts (or pages) does not reveal the username is another important prevention method.



Of course, strong passwords will go a long way as well. Never use dictionary words as those are the first to be checked a lot of times. Many people suggest using a full sentence with all the punctuation and spaces as a password. Others suggest to make certain there is a good mix of lower case and upper case letters, special characters (such as #$%@&!) and numbers, in the password.

Another effective way to stop the attacks is to monitor and block IP Addresses that are involved in the repeated login attempts, which are in most cases, attacks.

There are settings in the plugin for stopping login attempts after certain criteria is met. You can set the maxium login attempts within a specific time frame, that when reached, will lock out an IP Address for the specified amount of time. You can also have it display a generic (i.e. a non-revealing) error message for failed login attempts. Lock outs can be sent to the site admin by email as well.

The above settings are considered “Basic” and add 20 points to the Security Strength Meter (the gauge used by the plugin to determine how secure a site is based on the chosen settings). You can add another 5 points by enabling another basic feature that auto-logs out a WordPress user after being logged in for a specific amount of time, say 1 hour. This makes it so that if a person leaves a machine and doesn’t come back during the specified time frame, the session will expire.

Introducing the Cookie-Based Brute Force Login Prevention Feature

Another Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.

While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.

There are new additions to the .htaccess file when implementing this feature. Basically what it does is hides the default WordPress login page from the public. If they cannot access the login page, they cannot login.

The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.

Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needig access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.

Steps for Setting up the Cookie Based Brute Force Login Attack Feature

Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.

  1. Of course, get the plugin installed in whatever way you normally do so. Truly, the easiest way, to prevent unnecessary downloading and uploading when you already know the name of the plugin is to use the “search” feature under Plugins >> Add New. In this case, search for: All In One WP Security & Firewall.
  2. Go to WP Security >> Firewall >> Brute Force Prevention once the plugin in installed and activated.
  3. Scroll to the bottom of the page to do a quick cookie test to make certain that this feature will in fact work for you on the machine that you are using. Click the Perform Cookie Test button.
  4. Next, put a checkmark in the box to Enable Brute Force Attack Prevention.
  5. Create a Secret Word which will be used for the secret URL, which in turn creates the cookie that authorizes access to WordPress login URL when visited.
  6. You are probably done at this point and you can save your changes. Optionally modify the Re-direct URL if you want to be clever. And if your site does in fact have password protected posts or pages, check the option for My Site Has Posts Or Pages Which Are Password Protected.

After saving your settings, make note of the secret URL (in your mind preferred) and you are in business.

What if Something Goes Wrong When I Use this Feature?

Simply restore your htaccess file.

Related Posts

  • Tips to Secure Your WordPress Site Against Brute Force Login Attacks
  • What Would You Do If Somehow You Lost all Your Blog’s Content?
  • Advanced WordPress Security Tips
  • How to Restore the htaccess File When Using the All in One WP Security Plugin

Video Tutorial,  Wordpress login security,  Security,  wordpress security,  WordPress security tips

Reader Interactions

Comments (22 responses)

  1. Peter says:
    October 29, 2014 at 4:07 pm

    Hi, happy user of the security plugin, it makes life a lot easier. Two remarks:
    1 – WP has one problem when hosted: the 404 page depends on a page being generated from inside WP. A random hit like “site.com/abcdef” will yield the default Apache/hosting platform page. As the plugin rewrites the .htaccess anyway, it could be interesting if there was an option to divert any 404 to a specific page (now featured in most themes).

    2 – for extra login security, consider the Google Authenticator plugin (I use the Henrick Schack version). This adds a password to any login which changes every 30 seconds and once you set up the Google Authenticator app on a smartphone with your site details it will give you this password (it’s very easy – works with a barcode you scan from the screen), or for those with Firefox on the desktop, get the GAuth extension.

    Cheers, Peter

  2. admin says:
    January 20, 2014 at 8:01 pm

    @Jose, This other one doesn’t use any cookie. This one changes the WP Admin login URL of your site. Yes you can enable both these brute force prevention methods together on a site.

  3. Jose Luis Yañez says:
    January 20, 2014 at 11:48 am

    Hello there,

    I have just seen the newly added Brute-Force feature in this last update of this week and I am wondering if you please could help me clarify its use and difference with the cookie-based brute-force prevention feature.

    More specifically I would like to know if this new brute-force feature (non-cookie based) can be used in a membership site, as I cannot use the cookie-based one . And if so, what should I take into account to make sure this does not affect negatively the login of current members.

    And second, for a non-membership site, where the cookie-based feature is already in place, can this new one non cookie-based feature be added as well? can be both working together, so to speak? does it make sense? or is one or the other?

    Many thanks for your help and congratulations for this amazing plugin.

    Jose

  4. José Luis Yañez says:
    November 30, 2013 at 11:07 pm

    I see, thank you very much for your replay. I appreciate it.

    Regards,

    Jose

  5. admin says:
    November 30, 2013 at 8:15 pm

    @Jose, You won’t be able to use the cookie based brute force login prevention feature if you are setting up a membership site that needs access to the wp-admin/login area by other users.

  6. Jose Luis Yañez says:
    November 30, 2013 at 12:13 pm

    Hello there,

    I am testing this plugin on a local installation and I’m loving it. Just a question about the Cookie Based Brute Force Login Attack’ Prevention Feature: I am using a membership plugin (Fastmember)…how can I avoid member users trying to log in to be redirected to the redirection url set up with this feature?

    Cheers,

    Jose

  7. admin says:
    October 2, 2013 at 3:21 am

    Hi Brian, Give me the URL of your site so I can check and make sure the brute force prevention feature is working correctly on your site. If you are using the cookie based bruteforce prevention feature then you actually do not need the login lockdown feature so you can turn this option off.

  8. Brian says:
    October 2, 2013 at 2:27 am

    Hi,

    Thanks you for this fantastic plugin, it is amazing.

    I do have one questions. I have been seeing multiple site lockout notifications for my site recently from a whole range of IP addresses. The messages are always something like this:
    lockdown event has occurred due to too many failed login attempts or invalid username:
    Username: whatever
    IP Address: 125.26.14.115

    IP Range: 125.26.14.*

    Log into your site’s WordPress administration panel to see the duration of the lockout or to unlock the user.

    I enabled cookie-based brute force protection as I was getting nervous, but since I enabled it, I am still getting site lockout notices. I wondering how can that be if they need the cookie/secret URL to attempt to log in?

    Thanks,
    Brian

  9. khyriana says:
    September 18, 2013 at 1:37 am

    Hi,
    Yes thank you very much, it works. I’ll read your page.
    Have a nice day

  10. admin says:
    September 17, 2013 at 8:49 pm

    @Khyriana, Restore your htaccess file and you should be good. Please take a look at the FAQ section from the following page (there is a tutorial for restoring the htaccess file)
    https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin

  11. khyriana says:
    September 17, 2013 at 9:35 am

    Hi,
    I can not get into my admin, what should I do?
    Thank you in advance
    Best Regards

  12. admin says:
    September 11, 2013 at 9:12 pm

    @Bradley, As long as you use the special URL (given to you when you setup this feature), you will be fine. The plugin will drop the cookie when you try to access the admin login screen using that secret code.

  13. Bradley Millar says:
    September 11, 2013 at 6:35 am

    What if I reset my browser cache and all cookies are deleted? How do I regain access to my site?

  14. admin says:
    August 26, 2013 at 9:45 pm

    @Teo, The brute force login prevention feature basically stops anyone but the admin (who knows the secret key) from accessing the wp login page. If you are running a membership site that uses wordpress’s build in login page for authentication then you can’t use this feature. The whole purpose of the feature is to stop anything from going to your wp-login form. See what I mean?

  15. Teo says:
    August 26, 2013 at 3:02 pm

    Hello,

    Thank you for sharing this plugin. Please take a look at the “Brute Force Prevention Firewall Settings”, it seems to be a problem for users to access their own profile, they are redirected to the URL address set in plugin instead of seeing the account data.

    Thank you

  16. Bilal says:
    July 24, 2013 at 7:03 pm

    one of the BEST Security Plugin i have used in last few years, my site’s were under eval(…) attack and going to some junk URLs..
    after i finished cleaning up my site’s, i installed WP Security Plugin and wow..
    today i got around 60 emails, letting me know my site is under brute attack, failed login attempts are recorded, i didnt enabled brute force attack on these sites because i am using iwp (site management plugin) which failed to login after i enabled brute attack feature..
    anyhow i just Enabled Cookie Based Brute Force Login Attack Feature and you know.. from last 40 minutes ( 0 ) attempt of login at site is detected.

    Great to know you people done this great plugin for the WordPress Community.

    The other features i wanted to see in this great plugin in future will be:

    1. force all users to change passwords after specified number of days.
    2. Not just renamed the admin username to something but to change ID of the user too (ID 1 for the admin should also to be changed to new ID)
    3. Display name of the author tip is good but even changing Display name leaves URL of the author to be the username, a feature where users archive page accessed under his display name instead of username.

    well these are currently in my mind… but let me tell you that you people already save a lot for me. Great Work.

  17. Tore Lunden says:
    July 24, 2013 at 4:11 pm

    Thank you for a very nice and FREE plugin!

    I installed it on a MULTI-SITE today, and had an issue:

    When i change the admin_user name (as recommended), the database table “site_meta” did not change the “site_admins” value.
    Therefor I was locked out from the Site-admin Dashboard.

    After trying almost everything else , I finally discovered the issue and changed the value manually.
    Now it works perfectly.

    See if the plugin has that bug, or if it was me who messed up while messing around?

    Thanks again! 🙂

  18. admin says:
    July 21, 2013 at 10:20 pm

    @Tony, I did a test but didn’t see the issue. What version of the security and the affiliate plugin are you using?

  19. Tony says:
    July 21, 2013 at 6:41 am

    I see a problem with the Affiliate plugin
    When the Enable 5G Firewall Protection is on
    It’s stopping people from signing up.

    Getting a 403

  20. Pam Preslar says:
    July 15, 2013 at 2:18 am

    Thanks Tips and Tricks for the terrific plug in and the awesome documentation!

    I have been so bugged by my site bogging down inexplicably. Now, not only do I know why that was happening, but I also have eliminated it!

    And for free! You are very kind people!

    Cheers, Pam

  21. admin says:
    July 14, 2013 at 10:21 pm

    Hi Barney, When you say “new” are you referring to the backup that it creates? It would be helpful to know what action is causing the server to throw the 500 error. Your server log will have more details on why this error was thrown. Can you try to find out the reason by looking at your server log?

  22. Barney Davey says:
    July 14, 2013 at 5:55 pm

    First, thank you for creating this plug-in. I love it and appreciate your generosity in making it free. I am now having an issue when I try to add IP address to the Blacklist manager. Every time I do this, it creates a new .htacess file that causes a 500 errot on the site. I have to rename the plugin and htacess file to be able to login. A new basic htacess gets created, but it is lacking the features you put in with the plugin.
    Thanks, again!

Leave a Reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Featured & Popular Articles

Video Answers to Top WordPress QuestionsWordPress Optimization Tips and Tricks for Better Performance and SpeedEssential WordPress Security Tips - Is Your Blog Protected?WordPress Simple PayPal Shopping Cart PluginTop 15 Search Engine Optimization (SEO) Techniques I Forget to DoList of the Best and Must Use WordPress PluginsHow do I Start a Blog and Make Money Online?Good Domain Name Picking Tips for Your Blog SetupFind Out Which WordPress Web Hosting Company Offers the Cheapest and Reliable Web Hosting Solution

Featured WordPress Plugins

WP Express Checkout Plugin
wordpress estore plugin
wordpress membership plugin
wordpress affiliate plugin

Recent Posts

  • How to Use Browser Developer Tools to Inspect Elements and [...]
  • Accept Donations via PayPal from Your WordPress Site Easil [...]
  • Buy Now Button Graphics for eCommerce Websites [...]
  • Subscription Button Graphics for eCommerce Websites [...]
  • Adding PayPal Payment Buttons to Your WordPress Sidebar Ea [...]

Comment & Socialize

  • @Rob, We have just released ...
    - admin
  • I installed the plugin a co ...
    - Rob
  • @Sebastian, We've released ...
    - admin
  • I've used this plugin on a ...
    - Sebastian Djupsjöbacka
  • @John, this plugin doesn't ...
    - admin

Check out our solutions

View our WordPress plugin collection and start using them on your site.

Our WordPress Solutions

Footer

Company

  • About
  • Privacy Policy
  • Terms and Conditions
  • Affiliate Login

Top WordPress Plugins

  • Simple Shopping Cart
  • PayPal Donations
  • WP Express Checkout
  • WP eStore
  • WP eMember

Blogging Tips

  • How to Start a Blog
  • Selecting a Good Domain
  • Cheap WP Hosting
  • WP Video Tutorials
  • Simple SEO Tips

Search


Keep In Touch

Copyright © 2025 | Tips and Tricks HQ