WordPress security has always been an interesting topic for discussion and a concern for many small and large businesses. WordPress is an open-source and secure Content Management System (CMS), and hundreds of developers look after it, but that does not mean that your website won’t ever deal with intruders. Those malicious actors tend to attack small websites because website owners think their online business would be the least of their concerns. Therefore, precautions are always necessary regardless of whether you have a big website; it is still safe to introduce extra layers of security and follow the best security practices.

Question

How many times did you spot your website performance degrading because some bots were targeting your website to acquire possession of it, gather information, or cause some damage?

At Cloudways, your application’s security is our top concern. We believe that it is not just about getting rid of all the threats but also about risk reduction. Therefore, we are constantly taking measures to enhance the security of the platform you trust. Thus, we are introducing a new one-stop solution called Bot Protection in collaboration with BlogVault Malcare.

Bot Protection aims to identify and block malicious traffic, and protect from attacks like Dictionary attacks, Web Scraping, XMLRPC attacks, and Brute Force attacks. It also helps to reduce server resource usage for WordPress applications. These attacks are targeted to gain unauthorized access to your website or overwhelm it, but Bot Protection monitors all these activities and proactively blocks them upon detection.

Here are the top features of Bot Protection:

The Bot Protection features will grow from time to time based on your feedback. Hence the reason why Cloudways sought to deliver on this aspect by going above and beyond partnering with known (and highly competent) industry players to help build these capabilities in our platform. Should you have any suggestions of features you would like to see within this package, leave your opinion on our feedback forum. Let’s dive in deep to assess all these features.

Bots use Brute Force attacks to target login pages by submitting many different passwords or passphrases with the hope of eventually guessing correctly. By default, WordPress enforces no restrictions on how many unsuccessful logins can be tolerated, leading to bots trying to take full advantage of it.

Important

Bot Protection offers CAPTCHA login protection to protect your site from any unwanted logins. The CAPTCHA screen triggers when four unsuccessful logins are attempted. A small test is shown to differentiate between a human and a bot.
​

Once the CAPTCHA is solved, you will be sent to the login screen to log in. After another ten unsuccessful attempts, you will be locked out of your account for 30 minutes.

The built-in monitoring system of Bot Protection monitors all kinds of incoming traffic on your site and login page. It also monitors bot crawling because, nowadays, bot traffic is higher than it has ever been. If it finds any illegitimate traffic or observes any unusual activity, it will automatically block those IP addresses and bots. Usually, bad bots have invalid or empty user agents that do not match with the actual browsers.

Bot Protection is activated by default on all WordPress applications launched after July 23rd, 2020. However, you can activate it manually on all your previously installed applications. Here is how you can do it.

Important

Log in to your Cloudways Platform using your email address and password.

Finally, toggle on Active to activate the Bot Protection. Once prompted for confirmation, hit OK to continue.

That’s it! You have successfully activated Bot Protection.

It’s time to understand all the metrics and analytics present within the dashboard. Bot Protection will keep activity reports/graphs for the last seven days only. Any older statistical and informational data will not be maintained.

Here, you will notice five distinctive sections in the dashboard (from top to bottom).

Traffic Request is the actual request any IP/bot is making to your website. A request can employ two primary methods, GET or POST. GET refers to a request to receive data, while POST refers to a request intended to deliver information to your server.

A quick example of a GET request would be https://www.cloudways.com/, which would show up as ‘/’. The GET method is usually intended to gather data about/from your website. On the other hand, a POST request is aimed at functional PHP files present within your websites, such as wp-login.php and wp-cron.php. In general, the aim is to find potential flaws and take advantage of such loopholes.

To see more information about the traffic requests, click Show More.

The reports also present a filtered view of ‘Allowed’ and ‘Blocked’ traffic requests tracking ease. A set of attributes are presented for each request, including:

Default codes guidelines;

The Login Request graph helps track all the login requests and the breakdown of failed and blocked logins. Login requests are a subset of traffic requests, e.g., if total hits on your website are 43 and you have 13 login requests, then the Login Request will show 13.

To see more information about the login requests, click Show More.

The reports also present a filtered view of ‘Failed’, ‘Blocked’, and ‘Succeeded’ login requests for tracking ease. A set of attributes are presented for each request, including:

This section provides quick insight into a few recent logins. Here, you can gather a quick glimpse of what username has been used for logging in successfully. No failed attempts will be shown in this section. To see more information, click Show More.

This section displays those bots which are flagged as bad and blocked. To see more information or whitelist any bot you think is legitimate, click Show More.

Here, you will find more insights about the bad bots crawling on your site. To whitelist any bot, simply click ✓. This means that from now on, Bot Protection will never block that IP address. To remove the bot from the whitelist, click ✕.

Important

You may experience some delay when requesting actions such as whitelisting over Bot Protection. This is caused due to the time required to collect data from your server according to the new configuration and reporting it.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

What is the difference between Bot Protection and standalone Malcare plugins?

Bot Protection is an integrated feature of the Cloudways Platform and can easily be managed from the Platform; whereas, Malcare plugins are installed separately from the WordPress plugin repository. Malcare offerings within its packages will differ from what Cloudways has packaged within Bot Protection. For example, Malcare free version refreshes every hour to provide the latest statistics; whereas, Bot Protection fetches the latest statistics every five minutes; click Refresh Data to see the latest hits.

The hand-picked features and visibility within Bot Protection aim at a simple yet functional solution that can cater to most Cloudways customers running using WordPress.

Can I have Malcare and Bot Protection active at the same time?

To answer this question, we have the following scenario:

I have a custom login page or a custom folder structure. Will Bot Protection still protect it?

Yes, Bot Protection will still track all the traffic and perform necessary actions on a custom login page beside the default wp-login.php page.

I already had Malcare installed before migrating to the Cloudways; what will happen?

That shouldn’t be a problem. If you had such a plugin installed before but kept it deactivated from your wp-admin, our interface would show as ‘inactive’. Should you wish to use Bot Protection, remove the old plugin, and toggle ‘active’ from the Bot Protection page.

Will the Bot Protection be active on the destination application or server if I clone it?

If Bot Protection is active on your application and clone your server or application, it will also be active on your destination application.

Will Bot Protection alert me if any user is blocked or a suspicious traffic attempt is blocked?

You can view all the statistics within the dashboard, yet no email alerts or bot notifications will be sent.

Can I manually enter bad IPs or Bot names, which I already know I want to block?

No, you can only choose and allow the IP/traffic which has already attempted to connect to your website and was previously blocked for the time being. However, the current manual functionality within this feature will enable you to manually ‘allow’ not ‘block’.

Will Bot Protection protect my site from any advanced attacks such as DDoS attacks?

This feature set does not entertain volumetric-type attacks or any unlisted malicious methods.

How many applications can I enable this feature for?

We do not restrict you on the number of installations; thus, you can enable it for any WordPress application on any Cloudways server.

Where can I find the working directory for Bot Protection?

Bot Protection working directory will be located within your WordPress plugins directory. Once accessed this directory, you should be able to locate a folder named ‘Malcare’.

Can I increase the functionality within the Bot Protection package?

No, the feature is currently being offered as part of your subscription, as is. However, should you have any suggestions of features you would like to see within this package, leave your opinion on our feedback forum.

What happens when I toggle between Inactive/Active Bot Protection from Cloudways Platform?

When you activate the Bot Protection from the Cloudways Platform, the system will install the plugin for your WordPress application. If you deactivate it, then the plugin will be uninstalled. Please note that this switch is application-based, so your one application can have active Bot Protection, and other applications can have inactive simultaneously.

Can I use Bot Protection if I already have another security plugin?

We recommend using only one security plugin at a time.

Can I activate or deactivate the Bot Protection from WP-Admin Panel?

No, Bot Protection is exclusively available for Cloudways clients; therefore, it can only be enabled and disabled from the Cloudways Platform.