Blog > Guides > Login Firewall: Access Rules Explained

Login Firewall: Access Rules Explained

In this article, we’ll discuss how you can use login and IP based rules to limit login attempts.

| July 7, 2022 | 3 Min Read

To improve your protection against brute force attacks you can specify Login and IP-based access rules. You can add these rules in two places: In the Login Firewall of the LLAR plugin, and/or in your billing account. This feature is not available for free users.

Login firewall tab in the premium cloud app.

When rules are added directly to the plugin, they will exclusively apply to your website. If performed within your LLAR billing account, the rules will have a universal effect on all websites associated with your account. If implemented in both locations, the rules will synergize; however, the local rules will hold precedence over the global rules, with the exception of the Pass rule (refer to details below).

Rule Types

There are currently 3 types of rules:

Deny

All attempts matching this rule will always be denied unless there is an allow rule that overrides it.

Allow

All attempts matching this rule will be allowed to try to log in. This is the default behavior for any attempt - users can try to log in, but the attempt will be checked using our cloud's security intelligence algorithms (in addition to your own access rules). Use the allow rule when you need to make an exclusion from the deny rule (see examples below).

Pass

All attempts matching this rule will go through without any verification and penalty. This is the default behavior as though the LLAR plugin is not installed, so use this at your own risk! We don't recommend using this rule. Also, note that the pass rule is the most powerful rule and it overrides any other rule. For example, if you denied an IP locally within the site's settings, but added the same IP in your LLAR account with the pass rule, the pass rule will still take priority.

Login Access Rules Examples

Pattern: admin
Rule: deny
Result: All attempts from the "admin" username will be denied.

You can use "*" and "?" in your login (not IP) patterns. "*" replaces any number of characters, "?" replaces just one character.

Pattern 1: *
Rule 1: deny
Pattern 2: admin
Rule 2: allow
Result: Attempts from any username other than "admin" will be denied.
Pattern: admin
Rule: pass
Result: All attempts from the "admin" username will be allowed w/o any limit. Don't do that unless you 100% sure that's what you want.

IP Access Rules Examples

Pattern: 10.0.0.0
Rule: deny
Result: All attempts from the 10.0.0.0 IP will be denied.

You can use CIDR notation.

Pattern: 10.0.0.0/24
Rule: deny
Result: All attempts from the 10.0.0.0-10.0.0.255 IP range will be denied.

Human-friendly ranges are supported too.

Pattern: 10.0.0.0-10.0.0.255
Rule: deny
Result: All attempts from the 10.0.0.0-10.0.0.255 IP range will be denied.
Pattern 1: 10.0.0.0/24
Rule 1: deny
Pattern 2: 10.0.0.10
Rule 2: allow
Result: All attempts from the 10.0.0.0-10.0.0.255 IP range excluding 10.0.0.10 will be denied.

IPv6 are supported too - using both individual and CIDR notations.

Block Logins By Country

Within the Login Firewall, you can choose to restrict logins based on the country. Alongside establishing access rules, we strongly advise setting up this feature to significantly minimize your vulnerability to brute force attacks. You can opt to permit only specific countries or designate certain countries to be denied access.

block logins by country in wordpress using the limit login attempts reloaded cloud app.

About the Author

CMO

Greg Fisher has over 20 years of digital marketing experience. Along with Alex Benko, Greg’s has owned and operated several companies including an online travel agency, tour reservation software, and web host. Greg’s responsibilities at LLAR include marketing and user expansion.