Overview

WordPress security has always been an interesting topic for discussion and a concern for many small and large businesses. WordPress is an open-source and secure Content Management System (CMS), and hundreds of developers look after it, but that does not mean that your website won’t ever deal with intruders. Those malicious actors tend to attack small websites because website owners think their online business would be the least of their concerns. Therefore, precautions are always necessary regardless of whether you have a big website; it is still safe to introduce extra layers of security and follow the best security practices.

Question

How many times did you spot your website performance degrading because some bots were targeting your website to acquire possession of it, gather information, or cause some damage?

At Cloudways, your application’s security is our top concern. We believe that it is not just about getting rid of all the threats but also about risk reduction. Therefore, we are constantly taking measures to enhance the security of the platform you trust. Thus, we are introducing a new one-stop solution called Bot Protection, in collaboration with BlogVault Malcare.

Bot Protection

Bot Protection aims to identify and block malicious traffic, protect from attacks like Dictionary attacks, Web Scraping, XMLRPC attacks, and Brute Force attacks. It also helps to reduce server resource usage for WordPress applications. These attacks are targeted to gain unauthorized access to your website or overwhelm it, but Bot Protection monitors all these activities and proactively blocks them upon detection.

Here are the top features of Bot Protection:

  • No setup or installation; toggle Bot Protection ‘On’, and let it do its job.

  • Login Page protection.

  • Filtering of Bad Bots and Rouge Traffic.

  • Independent dashboard for monitoring.

  • Included in all Server Plans.

  • No impact on site performance.

The Bot Protection features will grow from time to time based on your feedback. Hence the reason why Cloudways sought to deliver on this aspect by going above and beyond partnering with known (and highly competent) industry players to help build these capabilities in our platform. Should you have any suggestions of features you would like to see within this package, leave your opinion on our feedback forum. Let’s dive in deep to assess all these features.

Login Page Protection

Bots use Brute Force attacks to target login pages by submitting many different passwords or passphrases with the hope of eventually guessing correctly. By default, WordPress enforces no restrictions on how many unsuccessful logins can be tolerated, leading to bots trying to take full advantage of it.

Important

  • Setting a strong login password is crucial because that is your first defense against these security breaches. Ideally, a strong password should be long and a combination of case-sensitive alphabets, symbols, and numbers.

  • Also, many security experts suggest changing the password regularly.

Bot Protection offers CAPTCHA login protection to protect your site from any unwanted logins. The CAPTCHA screen triggers when four unsuccessful logins are attempted. A small test is shown to differentiate between a human and a bot.

Once the CAPTCHA is solved, you will be sent to the login screen to log in. After another ten unsuccessful attempts, you will be locked out of your account for 30 minutes.

Bad Bots and Rouge Traffic Filtering

The built-in monitoring system of Bot Protection monitors all kinds of incoming traffic on your site and login page. It also monitors bot crawling because nowadays, bot traffic is higher than it has ever been. If it finds any illegitimate traffic or observes any unusual activity, it will automatically block those IP addresses and bots. Usually, bad bots have invalid or empty user agents that do not match with the actual browsers.

How to Activate Bot Protection

Bot Protection is activated by default on all WordPress applications launched after July 23rd, 2020. However, you can activate it manually on all your previously installed applications. Here is how you can do it.

Important

  • Once the Bot Protection is active, you will also see the Bot Protection plugin available in your wp-admin plugins section.

  • Please note that Bot Protection can only be managed from your Cloudways Platform.

Step #1 — Navigate to Bot Protection

Log in to your Cloudways Platform using your email address and password.

  1. From the top menu bar, open Servers.

  2. Then, choose the server where your desired application is deployed.

3. Next, click www.

4. Choose your desired application’s name.

5. Under Application Management, select Bot Protection.

Step #2 — Enabling Bot Protection

Finally, toggle on Active to activate the Bot Protection. Once prompted for confirmation, hit OK to continue.

That’s it! You have successfully activated Bot Protection.

How to Use Bot Protection

It’s time to understand all the metrics and analytics present within the dashboard. Bot Protection will keep activity reports/graphs for the last seven days only. Any older statistical and informational data will not be maintained.


Here, you will notice five distinctive sections in the dashboard (from top to bottom).

  • Quick Stats — This section will give you a quick view of how many requests and login attempts have been blocked.

  • Traffic Request — This preview graph will give you a quick glimpse of how many requests have been allowed and/or blocked.

  • Login Request — This preview graph gives a quick view of how many login attempts are made on your wp-admin panel.

  • All Login Attempts — This section will show quick insights about the recent logins made on your wp-admin portal, including the admin name used.

  • Traffic from Bad Bots — Here, you can quickly view all the bad bots observed on your website and blocked by Bot Protection.

Quicks Stats Section

  1. Inactive/Active: This switch activates and deactivates the Bot Protection feature.

  2. Blocked Traffic: The count of all requests blocked so far by the monitoring system on your website within the applicable time.

  3. Blocked Logins: The count of all attempts being blocked so far by the monitoring system on your login page. Attempts are blocked when there are four unsuccessful logins within the applicable time.

  4. This interval shows the applicable period for all the statistics.

  5. Click Refresh Data to fetch the latest statistics.

Traffic Request

Traffic Request is the actual request any IP/bot is making to your website. A request can employ two primary methods, GET or POST. GET refers to a request to receive data, while POST refers to a request intended to deliver information to your server.

A quick example of a GET request would be https://www.cloudways.com/, which would show up as ‘/’. The GET method is usually intended to gather data about/from your website. On the other hand, a POST request is aimed at functional PHP files present within your websites, such as wp-login.php and wp-cron.php. In general, the aim is to find potential flaws and take advantage of such loopholes.

To see more information about the traffic requests, click Show More.

  1. All: This shows all the traffic statistics and the time of visit, IP address, country, method, path, user agent, response code, and status of whether the request was allowed or blocked.

  2. Allowed: This section filters out all the requests that were allowed.

  3. Blocked: This section filters out all the requests that were blocked.

  4. To whitelist an IP you think is legit, simply click ✓. This means that from now on, Bot Protection will never block that IP address. To remove the IP from the whitelist, click .

  5. Click Refresh Data to fetch the latest statistics.

  6. Click Back to Main to return to the main dashboard.

The reports also present a filtered view of ‘Allowed’ and ‘Blocked’ traffic requests tracking ease. A set of attributes are presented for each request, including:

  • Time — The time this request was made (according to your server time).

  • IP — The source IP from where the request was made.

  • Country — The geolocation of the IP making the request.

  • Method — The type of method used in the request.

  • Path — The resource that the request was trying to POST to or gather information from.

  • User Agent — A fingerprint left by the originating request usually includes what type of Application/OS was used to make the query.

  • Response — The HTTP code the requesting IP got, which might help understand what the client could view from their end.

Default codes guidelines;

  • 1xx Informational response

  • 2xx Success

  • 3xx Redirection

  • 4xx Client errors

  • 5xx Server errors

  • Status — Whether a traffic request was permitted or denied.

Login Request

The Login Request graph helps track all the login requests and the breakdown of failed and blocked logins. Login requests are a subset of traffic requests, e.g., if total hits on your website are 43 and you have 13 login requests, then the Login Request will show 13.

To see more information about the login requests, click Show More.

  1. All: This shows all the login requests statistics and the time of the request, IP address, country, username, message, and status whether the login was successful, failed, or blocked.

  2. Failed: This section filters out all the login requests that failed due to invalid credentials.

  3. Blocked: This section filters out all the login requests that were blocked.

  4. Succeeded: This section filters out all the successful login requests.

  5. To whitelist an IP you think is legit, simply click . This means that from now on, Bot Protection will never block that IP address. To remove the IP from the whitelist, click .

  6. Click Refresh Data to fetch the latest statistics.

  7. Click Back to Main to return to the main dashboard.

The reports also present a filtered view of ‘Failed’, ‘Blocked’, and ‘Succeeded’ login requests for tracking ease. A set of attributes are presented for each request, including:

  • Time — The time this request was made (according to your server time).

  • IP — The source IP from where the request was made.

  • Country — The geolocation of the IP address.

  • Username — The username used to attempt to log in.

  • Message — What error message login screen showed due to unsuccessful login.

  • Status — Whether a request was permitted or denied.

All Login Attempts

This section provides quick insight into a few recent logins. Here, you can gather a quick glimpse of what username has been used for logging in successfully. No failed attempts will be shown in this section. To see more information, click Show More.

Traffic from Bad Bots

This section displays those bots which are flagged as bad and blocked. To see more information or whitelist any bot you think is legitimate, click Show More.

Here, you will find more insights about the bad bots crawling on your site. To whitelist any bot, simply click . This means that from now on, Bot Protection will never block that IP address. To remove the bot from the whitelist, click .

Important

You may experience some delay when requesting actions such as whitelisting over Bot Protection. This is caused due to the time required to collect data from your server according to the new configuration and reporting it.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

FAQs

What is the difference between Bot Protection and standalone Malcare plugins?

Bot Protection is an integrated feature of the Cloudways Platform and can easily be managed from the Platform; whereas, Malcare plugins are installed separately from the WordPress plugin repository. Malcare offerings within its packages will differ from what Cloudways has packaged within Bot Protection. For example, Malcare free version refreshes every hour to provide the latest statistics; whereas, Bot Protection fetches the latest statistics every five minutes; click Refresh Data to see the latest hits.

The hand-picked features and visibility within Bot Protection aim at a simple yet functional solution that can cater to most Cloudways customers running using WordPress.

Can I have Malcare and Bot Protection active at the same time?

To answer this question, we have the following scenario:

  • If you have a Premium Malcare plugin, you can also activate Bot Protection from the Cloudways Platform.

  • If you have a free Malcare plugin, then you can not activate Bot Protection. Instead, you need to uninstall your Malcare plugin to install Bot Protection.

I have a custom login page or a custom folder structure. Will Bot Protection still protect it?

Yes, Bot Protection will still track all the traffic and perform necessary actions on a custom login page beside the default wp-login.php page.

I already had Malcare installed before migrating to the Cloudways; what will happen?

That shouldn’t be a problem. If you had such a plugin installed before but kept it deactivated from your wp-admin, our interface would show as ‘inactive’. Should you wish to use Bot Protection, remove the old plugin, and toggle ‘active’ from the Bot Protection page.

Will the Bot Protection be active on the destination application or server if I clone it?

If Bot Protection is active on your application and clone your server or application, it will also be active on your destination application.

Will Bot Protection alert me if any user is blocked or a suspicious traffic attempt is blocked?

You can view all the statistics within the dashboard, yet no email alerts or bot notifications will be sent.

Can I manually enter bad IPs or Bot names, which I already know I want to block?

No, you can only choose and allow the IP/traffic which has already attempted to connect to your website and was previously blocked for the time being. However, the current manual functionality within this feature will enable you to manually ‘allow’ not ‘block’.

Will Bot Protection protect my site from any advanced attacks such as DDoS attacks?

This feature set does not entertain volumetric-type attacks or any unlisted malicious methods.

How many applications can I enable this feature for?

We do not restrict you on the number of installations; thus, you can enable it for any WordPress application on any Cloudways server.

Where can I find the working directory for Bot Protection?

Bot Protection working directory will be located within your WordPress plugins directory. Once accessed this directory, you should be able to locate a folder named ‘Malcare’.

Can I increase the functionality within the Bot Protection package?

No, the feature is currently being offered as part of your subscription, as is. However, should you have any suggestions of features you would like to see within this package, leave your opinion on our feedback forum.

What happens when I toggle between Inactive/Active Bot Protection from Cloudways Platform?

When you activate the Bot Protection from the Cloudways Platform, the system will install the plugin for your WordPress application. If you deactivate it, then the plugin will be uninstalled. Please note that this switch is application-based, so your one application can have active Bot Protection, and other applications can have inactive simultaneously.

Can I use Bot Protection if I already have another security plugin?

We recommend using only one security plugin at a time.

Can I activate or deactivate the Bot Protection from WP-Admin Panel?

No, Bot Protection is exclusively available for Cloudways clients; therefore, it can only be enabled and disabled from the Cloudways Platform.

Did this answer your question?