What is WP-Bruiser?
WP-Bruiser, formerly known as “Goodbye Captcha” is a free plugin for WordPress which blocks bot spam in your comment forms. It also has some non-free extensions which integrate with various popular contact forms and other addons to block bot spam in those as well. It does this using a clever token system which bots cannot defeat. This eliminates the need to annoy your users with a “Captcha” and presents a more professional web experience to your visitors. WP-Bruiser also includes some security features which is and what we are going to focus on today.
From your WordPress dashboard you can go to Plugins -> Add New and search for WP-Bruiser. You’ll find it in the standard WordPress plugin repository where you can install and activate it. The WP-Bruiser settings has several tabs at the top of the screen. The first tab, labeled simply “Settigns” is not strictly security related.
This tab offers a number of useful security features. At the top you can see Brute Force settings. For maximum security you should enable all of these. If you want your website to be accessible from anonymous TOR nodes then leave the Anonymoux Proxy IPs option unchecked, but be warned a lot of attacks use the TOR network.
Next you’ll see ‘White Listed IPs’, where you can provide some IP addresses which should never be blocked from the website. This section helpfully tells you your own IP in case you want to add it, but be aware that your IP might change and if it does you’ll want to update this section.
Following that is ‘Black Listed IPs’ which is where you can manually enter IP addresses you would like to ‘ban’ from accessing your site.
I recommend enabling all of the options in the WordPress Standard Forms Settings box, the first one you see. This will extend WP-Bruiser to prevent bots from registering accounts, as well as preventing certain kinds of scripted bot behaviors. Chances are you don’t want bots doing anything on your website.
The next section is ‘Tweaking WordPress’. You should enable Hide WordPress Version. Nobody needs to know what version of WordPress you’re using, and hackers will use that information to find vulnerabilities in your site. Next you should enable Remove RSD Header and Remove WLW Header if you don’t explicitly require them. If you aren’t making use of XML-RPC, and most people aren’t, then you should enable both of those options as well.
The next few tabs are specific to various extensions and outside the scope of this tutorial. If you are using any of those plugins I recommend paying for the license to integrate WP-Bruiser’s features with them. I personally use the Contact Form 7 extension on many websites and it has completely eliminated contact form spam.
This is a very handy feature. You should configure your E-mail address in the field provided and enable both checkboxes. This will notify you any time an administrator logs into your website, which can inform you if someone has compromised your website. If you operate a site with many people, have everyone use ‘Editor’ level accounts or lower for day to day tasks.
That’s it! WP-Bruiser is a very lightweight plugin and still provides a lot of additional security to a WordPress site, as well as eliminating 100% of bot submissions in your comment and contact forms.