Login attacks form the bulk of brute force attacks on WordPress sites. So it’s no surprise that all the security plugins lay special focus on login security. It includes features like limited login attempts, lockout period, customized error messages and lastly, email alerts. An email alert is generated to notify you every time a user is locked out due to maximum failed login attempts. Unfortunately, these alerts often translate to 100s of emails in our Inbox on a daily basis, making it practically impossible to scan through.
If you have lots of registered users, there is a high chance that these may be genuine login attempts. How many times have you forgotten a password and made multiple attempts to log into a site? It happens quite frequently to me. Most plugins allow a very small number of failed login attempts by default before sending an email notification. If an email is generated for every such user, imagine the number of false positives that an admin has to deal with. Moreover, the purpose of a security plugin is to prevent attacks and improve security. As it locks out the user who makes too many failed attempts, the job is already done. The email alert really serves no additional purpose.
Email alerts mostly end up giving us a scare without telling us what we really have to do.
Even if a brute force attack occurs and we receive an email alert, there is little that can be done. Plugins normally resort to blacklisting IPs in case of repeated offenders. Some forums also recommend that we add these offending IPs to the htaccess file. These steps are very tricky as you need to have a good grasp on a whole lot of things like IPs, htaccess, etc. Moreover, if the htaccess file is wrongly edited, you may even end up locking out genuine users. The admin is also expected to spend a good amount of time cleaning up this list frequently and moving some IPs to the whitelist if needed. The entire process involves a lot of work and can be too challenging for most users.
With hundreds of email alerts landing in our Inbox everyday, we may soon be conditioned to ignore them. This can prove disastrous as we might miss out on a situation that actually needs our attention.
The number of attacks on WordPress is increasing every year, with new exploits springing up every now and then. As it is nearly impossible for security plugins to prevent every attack, the users need to adopt multiple methods to make their sites as secure as possible. Given such a scenario, spending time sorting through email alerts for login attacks looks like a sheer waste of time.