Automatic protection for WordPress against ‘Brute Force’ attacks
A “Brute Force” attack is a type of attack in which malicious parties attempt to gain access to a Web site by continuously trying to guess usernames and passwords. Because WordPress is the most popular CMS system in the world, WordPress websites are regularly targets of such attacks. Because WordPress itself has no built-in protection against such attacks, since November 2021, we have been automatically protecting the SuperFast WordPress websites we manage from this.
Protection blocks an IP address once that IP address has made 10 or more (right or wrong) log-in attempts during a 5-minute period.
An IP address is released again if no new log-in attempts are made for 10 or more minutes.
The limit of 10 can be increased per website by a .htaccess change:
# END NON_LSCACHE
WordPressProtect throttle, 20
# BEGIN WordPress