WordPress Email Notification for Login Security: Helpful or Harmful?
WordPress email notification: Did you know that over 90,000 hack attempts are made on WordPress sites every single minute of the day? Brute force attacks form a sizeable chunk of the hack attempts made on the Internet today. It’s not surprising to see a number of WordPress plugins laying special focus on login protection features. These features could be anything, from limiting login attempts to locking out idle users, from changing the login page slug and restricting dashboard access for a specific time. When it comes to the security of the login page, one significant feature we want to discuss is about WordPress email alerts that are generated whenever there are failed login attempts made on your website.
If your website is a target of brute force attack, your mailing account is likely to be filled with hundreds of emails on a daily basis. It is practically impossible to scan through and keep a track of all these emails. For websites with many registered users, there is a high chance that some of these failed login attempts are made by genuine users. If a login notification or email is generated for every single failed login attempt, imagine the number of ‘false positives’ you’d receive!
What Purpose Does WordPress Email Notification Serve?
Granted that many security plugins allow a limited number of login attempts before sending a WordPress email notification. But consider this – the two central purpose of a security plugin is to prevent hack attempts (such as limit login attempts) and also to improve its security. If a malicious user is locked out after a few failed attempts, the job is already done. What purpose does the WordPress email alerts serve then?
When your site is under brute force attack and you are constantly receiving emails of failed login attempts, there is very little you can do with that knowledge. This means that the role of WordPress email notification barely has any value. It only stirs up the website owner, sending him off in a panic fit.
If you manage to keep track of the emails, you may discover repeated offenders and then resort to IP blocking them. Using the .htaccess file you can ban these IP addresses from accessing your site. But banning an IP address comes with its own share of disadvantages. Let’s have a look at some of them.
1. Website Crashing
To ban bad traffic from trying to login to your site, you need to modify the .htaccess file. The .htaccess file is one of the most important configuration files of your website. A single mistake can prove to be catastrophic. If you are not accustomed to handling the WordPress file manager, editing the .htaccess can be a big task. Of course, you can take the help of online tutorials on how to edit a .htaccess file. It reduces the risk to some degree. Still, there are chances of making massive mistakes. It can cause your site to misbehave or even crash – recovering from which is a challenge.
2. Search Engine Crawlers Blocked
In some cases, a misconfiguration can result in blocking search engine crawlers like Google bots from crawling your site. This means your site will neither be indexed and nor will it rank on search engines. Moreover, blocking search engine crawlers can cause an SEO catastrophe. You will lose search engine ranking, which will have a direct effect on your traffic and revenue.
3. Visitors Banned
The risk of accidentally banning valid site users is always there. It can happen due to an error when the IP address is incorrect. We have come across forums where website owners have confessed to accidentally banning valid users. In some of the cases, the admins accidentally ended up banning themselves. At times, small countries have only a handful of IP addresses. Blocking them would mean, you are blocking out a good number of visitors unwittingly which is essentially bad for business.
4. Loss of Potential Audience
One of the most effective ways of preventing brute force attack is to identify the country of its origin. When a large number of failed login attempts are being made from a specific country, you can simply ban the entire country. No one from that particular country can access your website.
The primary motive of an online presence is to reach a large number of audience anywhere in the world. Hence, regardless of their geographical location, the content on your WordPress sites is valuable to many people. This means, by blocking an entire nation, you could be ignoring an entire pool of audience interested in your work.
6. It’s Still Possible to Access Your Site
Hackers have access to a network IP address. They rarely stick to one IP because it can get caught and blacklisted. Hackers also rarely target a single site. They launch attacks on a number of sites simultaneously using a cluster of IP addresses they have built. When one of their IP address is recognized for its malicious intention, they shift to using a different IP address. It’s a never-ending game of cat and mouse. Hence blocking IP addresses can sometimes just be a temporary relief and nothing more. Since banning IP addresses involves a certain amount of risk, many users tend to avoid it.
This brings us back to the question we asked earlier, about what purpose do notifications for WordPress serve. Constant email notifications can be both annoying and lead to a big disaster.
Remember the boy who cried wolf. With hundreds of WordPress email alerts appearing on your email account every day, you’ll soon start to ignore it. This can be dangerous because you may just end up ignoring a situation that needs your attention. Given that the number of attacks on WordPress is increasing every year, spending time having the right security service in place is very important, instead of sorting through WordPress email notification for login protection.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.