I recently received a hat tip from a happy user of the BruteProtect plugin and decided to give it a try myself. The only configuration that is necessary for BruteProtect is to apply a free API key to communicate with the service. If you’re using the Limit Login Attempts plugin to block unsuccessful login attempts, you’ll need to disable it as there is no need to run both plugins. The idea behind BruteProtect is very similar to how Akismet operates. I got in touch with Sam Hotchkiss, one of the lead developers behind the plugin/service to describe how it works.
BruteProtect is sort of like Akismet, but for your WP login– we track failed logins across a large number of WordPress sites, then analyze that data to find patterns and identify attack bots. The larger our installed base, the more data we have to work with– this results in more complete protection for site owners and fewer false positives. To date, we’ve blocked over 1.3 million malicious login attempts from over 131,000 IP addresses.
The more people that use BruteProtect, the better protected its users are. The blocking and logging happens behind the scenes. However, there is a new dashboard widget that is created that shows off the number of blocked login attempts and just within the time span of writing this review, it’s blocked 72 of them. Sam has told me that they are working on big updates that will be available shortly.
BruteProtect comes from the same folks that are behind QuickForget.com. QuickForget gives you a secure way to send passwords, credit card numbers, SSNs, etc.