Bot Actions: How to detect & capture login bots
You've probably heard about bots a lot lately (those automated programs created to perform repetitive tasks), how they are here to make our lives easier. But, there are many faces of bots - they can be good or bad.
Shield Security is focused on helping you detect and block bad bots, whatever they're up to. To achieve this, we use bot detection rules, or "bot signals".
Signals are just behaviours that bots have which indicate that they could be a bot. With enough of these behaviours, we can get more confident that a particular visitor is a bad bot.
How to detect and capture login bots
Shield provides 2 effective ways ("bot signals") for detecting & capturing login bots:
Detect failed login attempts using valid usernames
Penalise a visitor when they try to login using a valid username but with the wrong password.
If you get a failed WordPress login, this may indicate a bot, or it may be a user who’s forgotten their password. But if you get 20 failed logins in succession, chances are high it’s a bot.
Detect attempted logins with usernames that don't exist
Identify a Bot when it tries to login with a non-existent username or an empty username. This includes the default 'admin' if you've removed that account.
Just like a failed login, this may indicate a bot’s attempt to login. Since it used a non-existent username, chances are higher that it’s a bot, but it’s not 100%.
Important: Legitimate users may get their password wrong, so take care not to block this.
Also, please note that these settings will not apply to the whitelisted IPs.
To access the detect login bots options, simply go to the main navigation menu > Bots & IPs Zone > Bot Actions component configuration:
Here you'll be able to configure each of bot signals independently from each other and you’ll also be able to decide how you want Shield to respond. You’ll have 4 options to choose from:
- Activity Log Only. This option lets you see the activity of these bots on the Activity Log before applying any offenses or blocks to offenders. It’ll let you test-drive the signal before making it take effect.
- Increment Offense (by 1). This option puts another black mark against an IP. As always with the offense system, once the limit is reached for an IP address, it is blocked from accessing the site.
- Double Offense (by 2). We’ve added the ability to give weight to certain behaviours. By allowing the offense counter to increment by 2, the IP will reach the limit more quickly, and be blocked sooner.
- Immediate block. If you decide that a particular signal on your site is severe enough, you can have Shield immediately mark that IP as blocked.
Read more about the offense limit here and the Automatic IP Blacklist System here.
For example, if you configured Activity Log Only for Failed Login option, and a visitor is trying to login with a valid username but with a wrong password, they'll not get blocked / blacklisted. Each failed attempt will be recorded with the WP Activity Log only:
Or, let's say you configured Double Offense for Invalid Usernames option, and you have offense limit set to 6. Each time a visitor attempts to login with a non-existent username, instead of incrementing the offense count by 1, it increments by 2. The visitor's IP will reach the limit (6) more quickly, and be blocked sooner. You can see these activities in your WP Activity Log as well.
Note: You can review and analyse the blacklisted IP by using the IP Management and Analysis tool.
Or, if you configured Immediate block for Invalid Usernames option, and you have offense limit set to i.e. 6, a visitor will be blocked / blacklisted immediately.
Hint: You may also want to use HTTP Request Log to review all logs of HTTP requests made to your WordPress site.
We also recommend you to read:
Note: ShieldPRO is required for the Invalid Usernames option. To find out what the extra ShieldPRO features are and how to purchase, please follow this link here.