My goal is to allow people to comment on my posts without being interrogated or even inconvenienced, while minimizing spam and malicious posts.

After spending the day studying worst-case attacks, attack points, and preventative measures I arrived at what I think is a sensible first level of security. When I say “first level” I mean I like to have a backup plan and if possible, a backup plan for the backup plan. That way if one line of defense begins to fall I’m still protected while setting up another line of defense.

The goal is to make defense as unobtrusive as possible.

Google’s reCAPTCHA is working beautifully on the contact form, 100% effective and except for a small icon in the bottom corner of the page, totally transparent to the user.

DIVI’s opt-in form also has the reCAPTCHA built-in so that’s a no-brainer, I’ll be using it unless elegant themes comes up with something better.


Comment Spam

DIVI’s comment module provides a count of the comments but as yet has no reCAPTCHA support.. I suspect that will rollout shortly.

I spent most of the day going through dozens of reCAPTHA modules with a short requirements list

  • must be compatible with the latest version of WordPress (5.8)
  • must be reCAPTCHA v3 (invisible) compatible
  • must have as many installs as possible with the highest ratio of 5-star to 1-star ratings
  • must cover the registration, login, reset password, comment, and custom forms
  • must hide for registered or white-listed users and/or IPs
  • would like it FREE but, realize people like rewards for outstanding work

The best match I found was reCaptcha by BestWebSoft. I download it from the WordPress Dashboard. It prompted me for setup, and within a few minutes it was working. It’s a little annoying that the setup page shows all the features you don’t get without the PRO version (there’s a lot) but that can be disabled since you may not need the PRO version.

I tested it on all the forms I enabled it on and it worked perfectly. I can’t see any reason not to use it, so it looks like I am about to open the gates on comments. I’ll watch it closely for a few days but it’s looking good so far.


Brute-Force Attacks

Google limits the reCAPTCHA attempts to 1,000,000 a month and that might sound like a lot under normal circumstances but when you consider BOTs, and brute-force registration and log-in attacks it’s not hard to imagine even a few hundred thousand a day.. one DOS attack could put you over the limit.

From reading the features of BestWebSoft’s reCAPTCHA I noticed it claims to be ‘Compatible with Limit Login Attempts Reloaded‘ so I investigated that while I was at it.


Limit Login Attempts Reloaded

This is unbelievable software with over 10,000 active installations and a loyal following of fan-boys.

It likewise has a feature-rich FREE version and an even more impressive PRO version and since I was able to download it from the WordPress Dashboard I did just that.

It was just as easy to install with no hiccups and a beautiful splash page. Every feature I tested worked perfectly but the most impressive thing about this module is the stats and control page now integrated into the dashboard side-panel.

It also covers XMLRPC attacks and shows that since I installed it, it has detected 40 failed log-in attempts today and it’s now 3:15am so just over three hours.


From Here

That’s it for today but tomorrow I have a couple more lines of defense to implement.

Talk to you later – Kent