Brute-Force Protection
Brute-Force Protection monitors failed login attempts and automatically blocks IP addresses that exceed a specified number of failures.
Why Brute-Force Protection Is Necessary
A brute-force attack systematically tries a massive number of password combinations. If a weak password is in use, it can be cracked within minutes.
- Typical bots can attempt hundreds to thousands of login attempts per second
- Dictionary attacks use leaked password lists (billions of entries)
- WordPress's
/wp-login.phphas no login attempt limit by default
Settings
Login Attempt Limits
| Setting | Description | Default | Recommended |
|---|---|---|---|
| Max Attempts | Maximum failed attempts before lockout | 5 | Personal: 5 / Business: 3 |
| Monitoring Window | Time period for counting attempts | 5 min | 5 min |
| Lockout Duration | How long the IP block lasts | 15 min | Personal: 15 min / Business: 30 min |
Configuration
- Navigate to SentinelSecurity → Login Security → Brute-Force Protection
- Toggle the switch to Enabled
- Configure each parameter
- Click Save
Lockout Notifications
When an IP is locked out, a notification email is sent to the admin email address. Email notifications allow you to monitor attacks in real time.
Notification contents:
- The locked-out IP address
- Number of failed login attempts
- Date and time of the lockout
The email format (text/HTML) can be changed in the Email Notification settings.
IP Block List
You can view and manage the list of blocked IP addresses.
Viewing the List
Navigate to SentinelSecurity → Login Security → Blocked IP List to see currently blocked IPs. Each entry displays:
- IP address
- Block reason
- Block start time
- Scheduled unblock time
Manual Unblocking
If a legitimate user is accidentally blocked, you can unblock them using the Unblock button in the list.
Permanent Ban List and Allow List
IPs that repeatedly launch attacks can be manually added to the permanent ban list.
- Permanent Ban List: Permanently blocked regardless of lockout duration
- Allow List: IPs excluded from brute-force protection (e.g., your office's static IP)
Threat Intelligence API Integration
To further strengthen brute-force protection, you can integrate with external threat databases.
Supported Providers
| Provider | Type | Free Tier |
|---|---|---|
| Spamhaus DROP/EDROP | IP List | Completely free |
| Project Honey Pot | HTTP:BL | Free (registration required) |
| AbuseIPDB | Score API | 1,000 requests/day |
| IP2Proxy | Proxy Detection | 500 queries/month |
| Cloudflare Radar | Threat API | Check availability |
Scoring Method
- Average Score Method (default): Averages scores from multiple providers for the final decision
- Maximum Score Method: Blocks if any single provider returns a high score
Cache Settings
API results are cached to reduce repeated API calls for the same IP. Cache duration options: 1 hour, 6 hours, 24 hours, or 7 days.
If You Get Locked Out
If you enter the wrong password multiple times and lock yourself out:
- Wait: The lockout will automatically expire after the configured duration
- Email Recovery: The lockout notification email may include a recovery link
- Disable Plugin: Rename the plugin folder via FTP to temporarily disable it
Tip: If you have a static office IP address, add it to the Allow List to prevent accidental lockouts.