How to detect & capture login bots
You've probably heard about bots a lot lately (those automated programs created to perform repetitive tasks), how they are here to make our lives easier. But, there are many faces of bots - they can be good or bad.
Shield Security is focused on helping you detect and block bad bots, whatever they're up to. To achieve this, we use bot detection rules, or "bot signals".
Signals are just behaviours that bots have which indicate that they could be a bot. With enough of these behaviours, we can get more confident that a particular visitor is a bad bot.
How to detect and capture login bots
Shield provides 2 effective ways ("bot signals") for detecting & capturing login bots. It achieves this through its Detect Login Bots feature. You can use this feature to:
- Detect failed login attempts using valid usernames
Penalise a visitor when they try to login using a valid username, but it fails.
If you get a failed WordPress login, this may indicate a bot, or it may be a user who’s forgotten their password. But if you get 20 failed logins in succession, chances are high it’s a bot.
- Detect attempted logins with usernames that don't exist
Identify a Bot when it tries to login with a non-existent username or an empty username. This includes the default 'admin' if you've removed that account.
Just like a failed login, this may indicate a bot’s attempt to login. Since it used a non-existent username, chances are higher that it’s a bot, but it’s not 100%.
Important: Legitimate users may get their password wrong, so take care not to block this.
Also, please note that the Detect Login Bots settings will not apply to the whitelisted IPs.
To access the Detect Login Bots feature, simply go to the Block Bad IPs/Visitors module => Detect Login Bots:
Here you'll be able to configure each of bot signals independently from each other and you’ll also be able to decide how you want Shield to respond. You’ll have 4 options to choose from:
- Audit Log Only. This option lets you see the activity of these bots on the audit trail before applying any offenses or blocks to offenders. It’ll let you test-drive the signal before making it take effect.
- Increment Offense (by 1). This option puts another black mark against an IP. As always with the offense system, once the limit is reached for an IP address, it is blocked from accessing the site.
- Double Offense (by 2). We’ve added the ability to give weight to certain behaviours. By allowing the offense
counter to increment by 2, the IP will reach the limit more quickly, and be blocked sooner.
- Immediate block. If you decide that a particular signal on your site is severe enough, you can have Shield immediately mark that IP as blocked.
For example, if you configured Audit Trail Only for Failed Login option, and a visitor is trying to login with a valid username but with a wrong password, they'll not get blocked / blacklisted. Each failed attempt will be recorded with the Audit Trail only:
Or, let's say you configured Double Offense for Invalid Usernames option, and you have offense limit set to 6. Each time a visitor attempts to login with a non-existent username, instead of incrementing the offense count by 1, it increments by 2. The visitor's IP will reach the limit (6) more quickly, and be blocked sooner. You can see these activities in your Audit Trail:
Note: You can review the blacklisted IP under the Manage IPs section:
Or, if you configured Immediate block for Invalid Usernames option, and you have offense limit set to i.e. 6, a visitor will be blocked / blacklisted immediately. You can see these activities in your Audit Trail:
Hint: You may also want to use Traffic Watch Viewer to review all logs of HTTP requests made to your WordPress site.
We also recommend you to read:
Note: ShieldPRO is required for the Invalid Usernames feature. To find out what the extra ShieldPRO features are and how to purchase, please follow this link here.