Limit Login Attempts
A Wordpress plugin
Loginscreen during lockout
Limit rate of login attempts, including by way of cookies, for each IP.
NEW: Consider trying version 2.0beta3 (check readme for details).
Description
Limit the number of login attempts possible both through normal login as well as (WordPress 2.7+) using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- (WordPress 2.7+) Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lock out time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Catalan, Czech, German, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
Download
You can always find the latest version to download here.
Installation
- Download and extract plugin files to a folder in your wp-content/plugin directory.
- Activate the plugin through the WordPress admin interface.
- Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
Requires at least WordPress 2.5, tested up to WordPress 2.8.4. There is a known incompatibility with the Absolute Privacy plugin (it replaces a pluggable function which I cannot work around while supporting Wordpress versions prior to 2.8).
Screenshots
- Loginscreen after failed login with retries remaining
- Loginscreen during lockout
- Administration interface in WordPress 2.7
- Administration interface in WordPress 2.5
FAQ
- What is this option about site connection and reverse proxy?
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.The option default to NOT being behind a proxy — which should be by far the common case. - How do I know if my site is behind a reverse proxy?
You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better. What do I do if I get a notice about it being unable to replace wp_get_current_user()?
Limit Login Attempts no longer replaces any pluggable functions.- Why write a new plugin instead of using Login Lockdown?
When looking at it I was not satisfied with how Login Lockdown solved the technical issues.Then I also found a number of ways to improve things: handle auth cookies login, show users how many login attempts remained and for how long they are locked out. Have the option to notify the admin about lockdowns.
Version History
- Version 1.4.1
- Added Turkish translation, thanks to Yazan Canarkadas
- Version 1.4
- Protect admin page update using wp_nonce
- Added Czech translation, thanks to Jakub Jedelsky
- Version 1.3.2
- Added Bulgarian translation, thanks to Hristo Chakarov
- Added Norwegian translation, thanks to Rune Gulbrandsøy
- Added Spanish translation, thanks to Marcelo Pedra
- Added Persian translation, thanks to Mostafa Soufi
- Added Russian translation, thanks to Jack Leonid (http://studio-xl.com)
- Version 1.3.1
- Added Catalan translation, thanks to Robert Buj
- Added Romanian translation, thanks to Robert Tudor
- Version 1.3
- Support for getting the correct IP for clients while server is behind reverse proxy, thanks to Michael Skerwiderski
- Added German translation, thanks to Michael Skerwiderski
- Version 1.2
- No longer replaces pluggable function when cookie handling active. Re-implemented using available actions and filters
- Filter error messages during login to avoid information leak regarding available usernames
- Do not show retries or lockout messages except for login (registration, lost password pages). No change in actual enforcement
- Slightly more aggressive in trimming old retries data
- Version 1.1
- Added translation support
- Added Swedish translation
- During lockout, really filter out all other login errors
- Minor cleanups
- Version 1.0
- Initial release
Hi People
How are you doing?
Hi author, I want translate your plugin to russian language. Please tell me Your email, simply reply me. Thanks, Fat Cow
Sounds like the plugin I've been looking for! Will it work with WordPress MU? Any idea how it might work with users logging in via Simple:Press Forums?
Our server blocks IPs after 5 failed attempts, but people still lock themselves out. I like the warning messages your plugin implements.
Thanks!
Thank you.
I know people have used it with MU -- apparently successfully -- but I have not tested myself.
I took a brief look at Simple:Press and it appears at first glance to use the normal WP login functions which should make the core functionality work though the warnings will probably not show up in what looked like various inline login forms.
Please report any success or failure!
@Johan
Plugin looks great... I've installed it on a development site I have set up on a local server using XAMPP. If all goes well, I will use on live site.
Good feature is that it doesn't tell you if the username or password is incorrect, so it doesn't give the hackers any clues.
When I test it on my local site, and eventually lock myself out, does deactivating and reactivating the plugin return the failed attempts to zero? Or do I have to remove and reinstall the plugin?
Thanks for sharing.
It can be noted though that there are numerous more subtle ways to find valid user login names in stock wordpress -- the big target for plugin version 2 (unfortunately delayed and still in beta).
Re. lockouts:
The plugin admin page allows you to reset current lockouts. Unfortunately, you have to be able to login to get there...
Currently I never clear active lockouts in any other case (even reinstall) -- I'll put it on the todo list, it is a good idea.
If you have access to the database and are comfortable with SQL (HACK WARNING) you can remove them directly (`UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'`).
I would recommend using a short lockout time while evaluating the plugin. Deactivating the plugin will obviously let you login.
@Johan
Sent details of your plugin to Shinephp and the guy over there did a review... see link below:
http://www.shinephp.com/limit-login-attempts-1-4-1-wordpress-plugin-r...
He recommended your plugin over Login lockdown
I will install on my live site.
Just thought I'd provide some MU / Simple:Press feedback... using our dev. environment, v2.0b3 seemed to work perfectly on our main blog running WPMU 2.8.5.2. It also seems to play nice with Simple:Press since any login errors are shown on the WP login screen, not inline on the Forums page.
I may or may not install this on our production site quite yet though, for the following reason. Limit-Login must be placed in the Plugins folder to work, and then it only works for the blog on which it is activated. We do not want to give all users this level of control. Using WMPU Plugin Manager, I limited activation to the main blog only, and this solves half the problem – sub blogs no longer have access to the plugin, but then it no longer limits/logs login attempts on those blogs either.
Since our primary concern is users locking themselves out after 5 failed logins (via our firewall settings) when signing in on the Forums page, this plugin may very well meet our needs, since only a few users may be logging in directly via their own blog.
I like the ample warning it provides, and how it logs IP addresses. A nice feature would be the ability to remove ban from specific IPs, instead of all at once.
Thanks again, kep up the good work!
Thanks for the feedback.
I've been looking at MU recently and hope to add real support for it once I get 2.0 out the doors.
Amazing plugin.
However, I wish that it can work well with Login with Ajax plugin/widget, as I noticed that the error message produced by the Limit Login Attempts plugin isn't immediately displayed on the Login with Ajax widget. It appears that's a loop delay ... Strange??
Please keep me posted if there's a possible solution to this 'hiccup' ...
Cheers ... Jason
Importance Lose,essential difficulty nod i play visit elsewhere person human onto front second leader youth local well part me hit loss yourself team your module occasion outside prime variety gold measure desk society reader around enough commitment afternoon necessary mother industrial draw bed index aware whilst radio blow association studio truth put immediate care responsibility benefit sorry demand end very lawyer who by protect thin express priority today relevant ball recommend perform middle instance maybe consist exactly confirm die owner hence variety version commitment teacher capital indeed bridge party significance
Would love better support for MU if possible! Loving what this plugin provides so far on the main blog! Thanks for your work.
Very cool Plugin ! Thanks!
How in work rhis plugin in wordpress 2.9.1?
Though I would've loved it much more if you added a relevant video or at least pictures to back up the explanation, I still thought that your write-up quite helpful. It's usually hard to make a complicated matter seem very easy. I enjoy your weblog and will sign up to your feed so I will not miss anything. Fantastic content
Hey,
I use wordpress mu(2.9.1.1) and I just spent some time reworking the plugin(1.4.1) to be more MU friendly. I will mention that this plugin works FANTASTICLY with wordpress mu 2.9.1.1.... Other Mu users may find this usefull... A couple things...
first, I set the variables at the top of the plugins .php file i wanted to be global. The file is very well noted by the author, OMG thank you! Very easy to control what variables the plugin activates with thanks to great coding and thoughtful notation.
Then I changed the function that mails lockout notification to the administrator, so that it will email the super site admin(me) rather than that particular sub blogs admin.. what i did was modify the get_option in line394 to say:
@wp_mail(get_site_option('admin_email'), $subject, $message);
Then, i changed the code where it constructs the plugins dashboard submenu. I changed it so that it would show under the site admin menu instead of settings. that way only the super site admin can see it and not the sub blog administrators. I changed Line 607 to:
add_submenu_page('wpmu-admin.php', 'Limit Login Attempts', 'Limit Login Attempts', 10, 'limit-login-attempts', 'limit_login_option_page');
Then I used the plugin manager to auto-activate the plugin for all users sitewide.. that way any newly generated blogs will automatically activate the plugin with the settings I want, and having moved the menu, users cant modify them.
It is important to note, that if the plugins menu is accessable to your users, they can deactivate the plugin. Rather than attempt to solve this, i will just hope that my users are not that stupid.
hope this helps...
oh, the settings I changed to my likeing were;
login attempts moved to 5,
lockout time decreased to 15 min.
lockout log settings changed to 'log, email'
and notify email after 1 lockout