Limit Login Attempts
A WordPress plugin
Loginscreen during lockout
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
Description
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lock out time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
Download
You can always find the latest version to download here.
Installation
- Download and extract plugin files to a folder in your wp-content/plugin directory.
- Activate the plugin through the WordPress admin interface.
- Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
Requires at least WordPress 2.8, tested up to WordPress 3.1-RC4.
Screenshots
- Loginscreen after failed login with retries remaining
- Loginscreen during lockout
- Administration interface in WordPress 2.7
FAQ
- Why not reset failed attempts on a successful login?
This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt. - What is this option about site connection and reverse proxy?
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.The option default to NOT being behind a proxy — which should be by far the common case. - How do I know if my site is behind a reverse proxy?
You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better. What do I do if I get a notice about it being unable to replace wp_get_current_user()?
Limit Login Attempts no longer replaces any pluggable functions.- Why write a new plugin instead of using Login Lockdown?
When looking at it I was not satisfied with how Login Lockdown solved the technical issues.Then I also found a number of ways to improve things: handle auth cookies login, show users how many login attempts remained and for how long they are locked out. Have the option to notify the admin about lockdowns.
Hi People
How are you doing?
Hi author, I want translate your plugin to russian language. Please tell me Your email, simply reply me. Thanks, Fat Cow
Sounds like the plugin I've been looking for! Will it work with WordPress MU? Any idea how it might work with users logging in via Simple:Press Forums?
Our server blocks IPs after 5 failed attempts, but people still lock themselves out. I like the warning messages your plugin implements.
Thanks!
Thank you.
I know people have used it with MU -- apparently successfully -- but I have not tested myself.
I took a brief look at Simple:Press and it appears at first glance to use the normal WP login functions which should make the core functionality work though the warnings will probably not show up in what looked like various inline login forms.
Please report any success or failure!
@Johan
Plugin looks great... I've installed it on a development site I have set up on a local server using XAMPP. If all goes well, I will use on live site.
Good feature is that it doesn't tell you if the username or password is incorrect, so it doesn't give the hackers any clues.
When I test it on my local site, and eventually lock myself out, does deactivating and reactivating the plugin return the failed attempts to zero? Or do I have to remove and reinstall the plugin?
Thanks for sharing.
It can be noted though that there are numerous more subtle ways to find valid user login names in stock wordpress -- the big target for plugin version 2 (unfortunately delayed and still in beta).
Re. lockouts:
The plugin admin page allows you to reset current lockouts. Unfortunately, you have to be able to login to get there...
Currently I never clear active lockouts in any other case (even reinstall) -- I'll put it on the todo list, it is a good idea.
If you have access to the database and are comfortable with SQL (HACK WARNING) you can remove them directly (`UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'`).
I would recommend using a short lockout time while evaluating the plugin. Deactivating the plugin will obviously let you login.
@Johan
Sent details of your plugin to Shinephp and the guy over there did a review... see link below:
http://www.shinephp.com/limit-login-attempts-1-4-1-wordpress-plugin-r...
He recommended your plugin over Login lockdown
I will install on my live site.
Just thought I'd provide some MU / Simple:Press feedback... using our dev. environment, v2.0b3 seemed to work perfectly on our main blog running WPMU 2.8.5.2. It also seems to play nice with Simple:Press since any login errors are shown on the WP login screen, not inline on the Forums page.
I may or may not install this on our production site quite yet though, for the following reason. Limit-Login must be placed in the Plugins folder to work, and then it only works for the blog on which it is activated. We do not want to give all users this level of control. Using WMPU Plugin Manager, I limited activation to the main blog only, and this solves half the problem – sub blogs no longer have access to the plugin, but then it no longer limits/logs login attempts on those blogs either.
Since our primary concern is users locking themselves out after 5 failed logins (via our firewall settings) when signing in on the Forums page, this plugin may very well meet our needs, since only a few users may be logging in directly via their own blog.
I like the ample warning it provides, and how it logs IP addresses. A nice feature would be the ability to remove ban from specific IPs, instead of all at once.
Thanks again, kep up the good work!
Thanks for the feedback.
I've been looking at MU recently and hope to add real support for it once I get 2.0 out the doors.
Amazing plugin.
However, I wish that it can work well with Login with Ajax plugin/widget, as I noticed that the error message produced by the Limit Login Attempts plugin isn't immediately displayed on the Login with Ajax widget. It appears that's a loop delay ... Strange??
Please keep me posted if there's a possible solution to this 'hiccup' ...
Cheers ... Jason
Would love better support for MU if possible! Loving what this plugin provides so far on the main blog! Thanks for your work.
Very cool Plugin ! Thanks!
How in work rhis plugin in wordpress 2.9.1?
Hey,
I use wordpress mu(2.9.1.1) and I just spent some time reworking the plugin(1.4.1) to be more MU friendly. I will mention that this plugin works FANTASTICLY with wordpress mu 2.9.1.1.... Other Mu users may find this usefull... A couple things...
first, I set the variables at the top of the plugins .php file i wanted to be global. The file is very well noted by the author, OMG thank you! Very easy to control what variables the plugin activates with thanks to great coding and thoughtful notation.
Then I changed the function that mails lockout notification to the administrator, so that it will email the super site admin(me) rather than that particular sub blogs admin.. what i did was modify the get_option in line394 to say:
@wp_mail(get_site_option('admin_email'), $subject, $message);
Then, i changed the code where it constructs the plugins dashboard submenu. I changed it so that it would show under the site admin menu instead of settings. that way only the super site admin can see it and not the sub blog administrators. I changed Line 607 to:
add_submenu_page('wpmu-admin.php', 'Limit Login Attempts', 'Limit Login Attempts', 10, 'limit-login-attempts', 'limit_login_option_page');
Then I used the plugin manager to auto-activate the plugin for all users sitewide.. that way any newly generated blogs will automatically activate the plugin with the settings I want, and having moved the menu, users cant modify them.
It is important to note, that if the plugins menu is accessable to your users, they can deactivate the plugin. Rather than attempt to solve this, i will just hope that my users are not that stupid.
hope this helps...
oh, the settings I changed to my likeing were;
login attempts moved to 5,
lockout time decreased to 15 min.
lockout log settings changed to 'log, email'
and notify email after 1 lockout
Johan,
I've made a Dutch translation for your nice plugin. I've made it already available through my own website, but I hope you will add it to the plugin so no extra steps are needed any more to use your plugin in Dutch.
The translation zip file can be downloaded here: http://www.burobjorn.nl/blog/wp-content/uploads/2010/03/limit-login-a...
Thanks for providing your plugin to the community!
All the best,
Bjornw
Hi.
I'm looking for an addon like this but with a captcha function instead of block the login form. Can you add this feature? Or if you want I can tell you my idea, modify the code and send the patch.
Big regards
Hello,
Will you be adding support for preventing multiple people logging into an account even if they know the correct passwords? I want to lockout people that share their account details too. Something similar to this http://www.newmedias.co.uk/your-minder/ I love yours and need it but also need the capabilities of what the other developer offers.
Is that something you would consider adding into your functionality? Or do you suggest that I get both?
Thanks,
Richard Wing
Hello
I just finished the French translation of your plugin: limit-login-attempts
You'll find it here: http://doku.host56.com/wplugins/limit-login-attempts-fr_FR.zip
Can be integrated into a future version?
Thank you in advance!
oVa
Hi Johan
I've made a Brazilian Portuguese translation for this plugin, based on version 2.0beta3. I've made it available through Mediafire: http://www.mediafire.com/?kjyrfx96b0xfo49
I hope you include it in 2.0final. Also, feel free to contact me via e-mail, for future updates.
Regards.
Gervásio.
request: in the Lockout log, date and time would be great!
I would also love a dashboard stats window.
Weston,
Thanks for the suggestion. I'll probably add that.
awesome plugin thanks a lot ! It helped me detect people trying to break in quite a few times
Hi, Johan.
While testing a translation service site, I made Finnish translation for this plugin. It can be found from:
http://crowdin.net/project/wp-limit-login-attempts-plugin
Feel free to download it, include it in build, etc.
Feedback on translation accuracy also appreciated (if there're any Finns online).
-Ari
Ari,
Thank you. I'll queue it up for next release.
Not working under WP 3.01
Limit Login Attempts is a great plugin, but I'm afraid there is a tiny regression in it (as of 1.5.1):
When you fail to login, the login counter for your IP address is increased by one. If you successfully login on the next attamep (and here is the bug:) the attempts counter should be restored to zero, but it remains unchanged.
Although I believe "reseting to zero" is a mandatory feature, if you think it may not be desirable by all users, you can make it an option config.
Keep up the good work!
Beatus,
Could you describe the problem in more detail? Perhaps mail me the details as johan.eenfeldt@kostdoktorn.se? What is not working, what happens instead, version of plugin, etc.
Huji,
That is very much by design, and have been that way since day 0.
Otherwise it would be possible to attack admin using 1 less than allowed retries. Then reset retries by loggin in to a normal account.
Hi Johan,
It seems something strange is going on with ths plugin on my site.
I go to my blog, go to the login page, and when I get there, it already says "too many failed login attempts" and locks me out for 19 minutes. Even if I haven't been to my blog for a week or so. What does this mean?
Thanks in advance,
Nicole
Nicole,
Thank you for the report.
I wont be able to investigate in detail until this evening (local time) but it sounds like there is a bug in how the plugin handles failed cookie login. If old cookies don't get cleared as they should it result in a failed login each pageload -- on the login page or not.
I made what I thought was a my small simplification in that code for the latest release, so it is possible I made an error.
Try to disable cookie login handling in the plugin options.
I'll check it in a few hours.
Hmm, having looked at it and tested the code I cannot find any problems. It still sounds like something regarding auth cookie handling, but I cannot see how it could happen.
Do you use any plugins that affect login and/or cookie behaviour?
Great plugin and I'll queue it up for next release.
Good job alls!
Thank you!
Thanks for the great plug in. I'm recommending it for all my clients.
I too have seen the too many failed login attempts message, and indeed disabling the cookie login handling takes care of it.
On this particular site, there is a simple:press forum, as well as a content protection script (DAP), and I'm just wondering if those could be part of the cause. I know that the forum "remembers" me pretty much indefinitely, but I'm prompted to login to the content-protected area.
Additionally, the "Secret keys" and "Salt" in wp-config was updated from the defaults a few days prior to noticing the problem. No idea if that could be part of the cause. Seems like after happening maybe once, it should be good to go.
Anyway, disabling the cookie handling solves it, but wanted to provide a little more info in case it triggers any thoughts on what might be happening!
Thanks again,
Tim
This is a great plugin.
Are there plans to add the ability to set safe IP addresses? I have a couple of WP sites, and it seems that when I login to one and then try to log in to the other, I get locked out. I get in by deleting the file but I wish I could set my IP as a safe location.
Hi, I experienced something that looks similar to what Huji wrote above:
After a failed login attempt and a subsequent successful login, I log out and there is still that warning message "x attempts remaining". I think this can be quite confusing. Even if it makes sense to keep on counting for a certain time after a successful login, it would be good not to display that warning directly after logging out. I would display it again only after another failed login has occurred. The warning is useful as information only when a login has failed right before.
Also, I would appreciate an option in the settings to reset counting to zero after *every* successful login. This still gives a good deal of protection because logging in every xth time with a known password in order to guess the admin password would take quite a while and some admins might be willing to take that risk.
thanks
Also want to recommend another plugin thats calld "badbehavior", it blocks alot of bots and other things that spider around on the web.
Hello, my hosting company has isolated a problem that keeps bringing down our website. I'm contacting the developers of all the plugins i'm using to see if it could be their plugin that's the cause of this problem. Listed below:
Hello Chris,
The problem you are having is due to some processes running on
74.43.13.1 and 12.166.36.250 that are trying to connect to closed ports
resulting in one-hour blocks of the IPs by the hosting server's
firewall. For example, we are seeing a large number of attempts to
access port 389 which is the LDAP port even though we don't offer LDAP
services. Similar hits are seen coming from both 74.43.13.1 and
12.166.36.250.
Nov 17 13:27:41 *TCP_IN Blocked* SRC=74.43.13.1 DST=209.236.73.59
PROTO=TCP SPT=14368 DPT=389
Nov 17 13:27:43 *TCP_IN Blocked* SRC=74.43.13.1 DST=209.236.73.59
PROTO=TCP SPT=14346 DPT=389
Nov 17 13:27:47 *TCP_IN Blocked* SRC=74.43.13.1 DST=209.236.73.59
PROTO=TCP SPT=14368 DPT=389
Another example, is a process running from port 60073 on 12.166.36.250
today that scanned UDP ports 33590 through 33623 between 12:16:37 MST
and 12:19:22 MST. This port scan resulted in the following one-hour
block:
Nov 17 12:19:26 *Port Scan* detected from 12.166.36.250 (US/United
States/-). 21 hits in the last 102 seconds - Blocked for 3600 secs
Nov 17 13:19:30 Incoming IP 12.166.36.250 temporary block removed
The processes running on 74.43.13.1 and 12.166.36.250 that are scanning
our hosting server's ports need to be stopped. If they continue to run,
the IPs will continue to get blocked as they have dating back to
November 3. Some of the firewall's blocks last one hour and some last
three hours or more depending on the perceived severity.
Any chance of an ip white list section added to the plugin at all ?
Hi!
I have switched on WP_DEBUG on my test blog and try to minimize PHP notices which are output. Your plugin is responsible for one of them: "Notice: load_plugin_textdomain was called with an argument that is deprecated since version 2.7 with no alternative available."
The correct syntax of line 99 in the plugin file should be:
load_plugin_textdomain('limit-login-attempts', false, dirname(plugin_basename(__FILE__)));
See: http://codex.wordpress.org/Function_Reference/load_plugin_textdomain
It would be great if you could change this for the next plugin release! Thanks a lot for coding this in the first place!
Regards,
Johannes
Johannes,
Will fix. Thank you!
I changed my URL's in WordPress from mysite.com to http://www.mysite.com and when I tried to log in the plugin started counting attempts and now I am locked out of my site.
How do I get back in?
To remove lockout:
http://wordpress.org/extend/plugins/limit-login-attempts/faq/
... and thank you for the report. I've been chasing the bug where cookie limit will sometimes kick in and apparently not clear invalid cookies. This gives me another idea to test.
It would be very nice if you update the changelog
I have, but apparently it takes a while to update on wordpress.org sometimes. Check the readme.txt for now!
Türkçe
Last time, I tried Login Lockdown on a local server. It messed up my local test site and locked me out. I'm gonna try this version and hope it works for me. A lot of my blogger friends are recommending this and feeling really secure about their blogs.
Hope it works out better for you. Please check the FAQ if you lock yourself out testing this thing.
When this plugin was suggested, I wondered why anyone would want to log into my website. I still do not know the answer but for the past 5 days, someone has been trying to get into my admin page. I have had about 20 "Too many failed login attempts" emails. Although I am sure it is only one hacker, there have been at least 3 different IP addresses. Thank you for protecting my work.
Great plugin! I'm using it on several sites and have never had a problem with it.
If you accept donations for your work I'd love to buy you a cup of coffee
I installed it, nice plugin.
I enabled it, and I still see I am getting hammered but some remote server that keeps on trying anyway. I am sure it does not know it is "blocked". A nice hack/extension would be to optionally add the offending IP address to .htaccess. Even if you lock yourself out accidentally, you could update the .htaccess file.
Maybe another idea is to perhaps not send *any* response to reduce the frequency of the attacks.
Mace, thanks for your comments. It is a situation I've thought a bit about.
From a password security angle it doesn't matter really if they keep trying once you've got this plugin active. They will not be able to brute force the password. You still want to use a decent password to be safe of course, in which case we're talking age of the universe timespan to break it.
It is still annoying though. If they do it often enough it might also be considered a DOS security issue.
There is the issue however of multiple users behind the same NAT/proxy (at a company or university for example).
Right now they won't be able to log in if they have a bad guy on the same network. If you block the ip in .htaccess they won't be able to access the site at all. And this is a situation that will get more and more common now that we're kind of out of ip4 addresses.
It would also require the .htaccess file to be writable by the web server at all times, which is a security issue of its own.
I'm still thinking about it, but I don't think it would be a good idea for most people.
Hello,
We are using your plugin....and so we thought to make a link at your page
http://www.automotivespace.it/connessioni/
Many thanks
The Log of lockout IP addresses worked on first install but after using the clear log button, the locked-out ip addresses are no longer displayed. The header and clear log button are also missing. Have you got any suggestions to fix ?
Sorry, meant to say after using the clear log button new, subsequent lockouts are not appearing even though I've been getting notification via email telling me there have been failled login attempts.
The same issue here. The log went missing after I cleared it.
An Improvement would be that there is an option to send the emails to a different address.
Gary, Mau
Thanks for the report. This is fixed in 1.6.2. Sorry for the delay.
Hi Johan
Great plugin - just updated.
Thanks for doing such a great job.
I use your plugin on all my clients sites.
Your plugin is much appreciated.
Hey Johan,
Great plugin! I use it for years.
It would be super to see the dates in the logout log. Right now we see the IPs and the usernames. Then I'd like to see a third column with the dates -- and perhaps a drop-down or something when there were more than one tries per IP/UN.
Either way, keep it up!
Have just installed updated plugin but log still not showing. Do I have to wait until there's another lockout (post-installation) or do I have to clear database entries (if so which ones) ?
New lockouts will show in the log.
Hi,
I just updated the Limit Logins plugin a couple of days ago. This morning, when I tried to login, the plugin would not recognize any of my userids or passwords. Yet, when I went to one of my posts and clicked the "Site Admin" link, I got to the admin page without any problem. Very strange.
Since I can't tell what's going on, I deactivated the plugin for the moment to avoid getting completely locked out. Has anyone else run into this problem?
Thanks,
Chris
I haven't had any reported problems so far, and I cannot think of anything that could result in your situation. You obviously get logged in and the correct cookie set, or you would not get the admin bar at all.
Do you have any other plugin that does login related stuff?
Thanks fou this plugin,useful a lot
One question: How to display date in log block?
Today's date is shown on log in, is important.
Johan,
Great plugin. Any thoughts about adding a way to configure what email address the admin logs are sent to? It would be nice to be able to send alerts to another email address rather than the default WP admin email.
Hi Johan,
How do I customize, as I don't get the normal Options configuration panel in my dashboard?
Regards
Mike
Once the plugin is activated there should be an option page under the "Settings" menu.
Something like:
http:///wp-admin/options-general.php?page=limit-login-attempts
Nothing is shown on the dashboard page right now.
On my most popular site I used your login and it opened my eyes to stuff going on I had never noticed before. Thanks...
Is there a tool in your plugin to help with something like this? Or any recommendation?
Lockout log
IP Tried to log in as
213.251.189.201 justin82 (3 lockouts)
67.228.21.218 justin82 (2 lockouts)
62.75.244.128 justin82 (6 lockouts)
74.53.173.146 justin82 (6 lockouts)
200.0.176.43 justin82 (4 lockouts)
208.69.122.25 justin82 (4 lockouts)
193.202.110.175 justin82 (4 lockouts) ... and it continues
If you only allow login from admin-type users you can tighten the plugin settings somewhat, but default settings are safe as long as you have decent passwords.
With a strong passwords it would take millions of years to brute-force crack, even with multiple IP trying. Still annoying though.
I recommend 12+ random character passwords and preferably a password manager.
Right on... thanks for answering. Annoying is right. I read an article about recommended security for wordpress and your widget was on the list. When I loaded it I saw things that I did not know were going on... I have seriously beefed up security.
Thanks for writing this, its cool.
Cheers
I use this plugin in combination with "login logger". I notice that when a user is locked every attempt is still logged by "login logger". I'm worried it flood my server db.
Is it possible to add a feature to stop processing other plugins when locked?
(i don't know what a hacker uses to bruteforce. But do theire scripts see the "locked" status?)
Thanks for a great plugin. A Russian IP is trying to get into a blog I manage. I'm glad I was able to block them.
another feature request. Like to have a whitelist feature for users. This is handy for creating a second admin account which can always unlock.
Hey Johan, any news as to when you'll include the dates in the logout log?
Can you tell me how to unlock a user if the are accidentally blocked. How, as an Admin, do I do that -- is it as simple as clearing the log or do I have to go into the DB somehow?
Great plugin. I have to say I'm astounded at how hard some people are trying to get into our site. I set it so that 1 lockout sets the lockout time to 24 hours. Yet there is one IP that has been locked out 9 times since I installed the plugin 2 weeks ago! The email notification is great. Thanks!
Thank you Johan, for writing that plugin!
Just like many commenters here I was quite surprised to see how many failed login atempts there are on my small blog.
If you've got some spare time sometime, I'd second the wish for a timestamp in the log.
Cheers
peter
An awesome plugin that answered questions about who is trying to get in.
Bit concerned about the date of the plugin, no worries, this works great with current WP version.
Thanks - hope to see more!
Awesome plugin, thank you for this, I rated is with five stars.
Feature request: it would be good to see the password, which user tried to submit.
Or you are not showing password intentionally because of security reasons?
P.S. [whining]it is better to align text on site to the left, because in this case intervals between words are the same and it is better to read for an eye than justified text [/whining]
Howdy,
Great plugin. Minor nit to pick: the English translation calls out "reversy proxy". Might want to change that to "reverse". *grin*
Thanks.
There are lots of plugins are available in we, but most of the plugins are useless, i think this plugins will be a good one.
Hi Johan,
Great Plugin! Thank You Very Much!
The added security for my sites is greatly appreciated, and Limit Login Attempts gets it done!
The login attempts I see are pretty much trying to log in as "Admin" which is comforting seeing as the #1 rule on WordPress Security is don't have an "Admin" user. Those that do have an "Admin" user should use the http://wordpress.org/extend/plugins/admin-renamer-extended/ to change the name of the "Admin" user to a different name. People should also use a "Nickname" which shows as the user name to those who visit the site, so the admin logon name is not shown publicly.
The only things I can think of to improve the Limit Login Attempts plugin would be:
Being able to set an e-mail notification address other than the WordPress site admin's address.
Being able to reset a single IP Address of a legitimate user that was accidentally locked out when they forgot their password.
Again, Great Plugin & Thanks!
Hi I would love to use this with bbPress have you done this before?
Loving this plugin. I have it on a couple of sites and it's certainly stopping the script kiddies in their tracks.
I'd put in another vote for a whitelist if it's possible. I just managed to lock myself out accidentally so I had to log in from a different IP address to reset myself. Others may not have this luxury.
Is Version: 1.6.2 kompatible with WordPress 3.2.2. ?
Hi! Congrats for this extremely useful plugin.
Just wanted to let you know that I developed a small feature to allow whitelisting some IPs, you can find the diff patch on https://gist.github.com/2711886 if you're interested in merging it into the plugin
This is without doubt the most significant security hardening feature I have installed on my blog! Invaluable! If only I'd found/though of it before I got hacked. Essential plugin for any WP site...
However, one enhancement request: can we have date and time added to the lockout logging please?
Rocky & Felipe,
So I've added support for IP whitelist in the new release. Kind of. There is a filter to do it, as I'm still against it in principle!
Pete,
Yeah, it's on the to do list. I've actually implemented it for my big 2.0 re-shuffling of settings and options, but it's been stalled for forever now.
Just wanted to thank you for this plugin, I have been using since last year and it's a nice addition to the other security measures I have in place - I appreciate your efforts in making and maintaining this!
Thank you for this plugin! Someone tried to access my account early this morning. The plugin notified me of this and even gave me the IP address. This person is located in the Ukraine (I'm in the USA). For all of those people who are considering this plugin, don't wait any longer. It works great!
Thank you Johan, this is by far one of the required plugins for any of my WP sites. It stops brute force attacks in their place.
Like others have requested, a timestamp would be a great addition, and or an option to display which country code the IP came from. (i know i know, asking for a lot hehee) Love your plugin regardless.
I want to use the plugin, but the most of all users are using the same IP-address, this means trouble if one user didn't know his password and trying until he locked out all of the other users. I can't find an option to lockout only usernames.
So I think, I'm using the whitelist option. but I don't know what I have to do, where do I put the IP-address, I tried several things, but it doesn't work. Please, who can help me?
Thank you in advance.
I'm using a login log and seeing multiple people try 20-25 times per minute before it finally locks them out. Here's an example: http://i.imgur.com/bYvq3.jpg
So your plugin IS working - it just doesn't seem to work fast enough.
I use Limit Logon Attempts to try to prevent hacking, and two plugins that log logins. Recently, I received a message from your plugin that it had locked an IP after 5 attempts to login as "admin." But when I look at the logs, I see the IP was attempting another user name. Also, the logs showed more than 2,000 attempts from the IP, and this number was confirmed by looking at the web site's raw access logs.
Two questions: why was the account name reported incorrectly, and why were the attempts not actually stopped?
I've translated the plugin into Simplified Chinese,I've also sent the file to your mailbox,please review and give me the feedback.
Thanks!
It would be good to see the last entered password.
It is easily could be made by adding this code to the "limit-login-attempts/limit-login-attempts.php" file to line 556:
$message .= "\r\n\r\n";
$message .= sprintf(__("Password: %s", 'limit-login-attempts'), $_POST['pwd']);
Hi, I made you a Croatian language translation:
http://katanaswords.info/limit-login-attempts.1.7.1-hr.rar
If you want you can include it in future versions of your amazingly simple yet useful plugin.
Keep up the good work!
Dear Johan,
I just want to thank you for this plugin. It successfully blocked a hacking attempt on a website that I maintain, one that has been the target of Islamic terrorist hackers many times in the past. BUT NOT ANYMORE!!! Woohoo!!!
Thank you so much. I am completely indebted to you.
Regards,
Ian
The plugin works great, thanks. Does it support IPv6?
Hi Johan, I have in total 8 websites and your plugin is runing well. Only by one I have just few weeks some problems. It´s my website Just-a-green-life-4u.com. If I try to lock into my admin, it´s coming - ERROR: Too many failed login attempts. Please try again in 167 hours. - and I have done no mistake with a wrong passwort. I tryed again the same after this 167 days, without sucssess. I did try to change my passwort, still the same problem.
What can I do.......
thanks for any help.
kind regards
Erwin
I just got another brute force attack on my blog. I got an email after 5 login attempts, but the attacker just kept going on sending POST login requests.
I assume the actual login possibility is disabled when the ip is blocked? You can't ofcourse block a POST request, just from within wordpress or this plugin.
I am currently looking into combining this plugin with fail2ban, so i can block access on port 80 for the ip that is locked out.
hi autor, thanks for plug-in, I have translated it into armenian language, pls. replay and I sent you a translation files. Thank you !!!
Hi,
I modified the plugin to also log to a file with a timestamp and the ip. This way I can use fail2ban to indeed block it in iptables on port 80. I just got another attacker, and he was blocked, and now my server doesn't get overloaded in post requests anymore.
Maybe an idea to support logging to external file?
Thank you for your excellent program. My blog is very fond of attempted break-ins, and this program is to protect, but could you add a feature that I can release my own admin IP address on a banned list. I only have one time left to my own blog. Agents who try to break the 9,999 hours or one year from closing.
I want say to developers of Limit Login Attempts, for security reason add this code at the begining of limit-login-attempts.php file:
<?php defined('ABSPATH') or die('Access denied');
Thank you for this very useful plugin.
thanks a lot for your plugin , keep up the good work
Hi,
I love this plugin! Thank you so much for this.
I would like to echo a request that 411Plumb already mentioned "Being able to reset a single IP Address of a legitimate user that was accidentally locked out when they forgot their password."
This would be great. I've made an error logging in 2 times over the past year and it never resets for me even after all this time has passed without me making any errors logging in. I'm not sure if this is something that can be done, but that would be great
These are in fact enormous ideas in on the topic of
blogging. You have touched some fastidious things here.
Any way keep up wrinting.
I want to to thank you for this excellent read!
! I absolutely loved every bit of it. I've got you book-marked to look at new things you post…
Hallo,
ganz wichtig!!!!.....klasse das Ding, danke
großes LOB für dieses PlugIn, es scheint fantastisch zu funktionieren, die Installation und Einstellung ist auch ganz einfach. 5 vermutliche Hacker Angriffe wurden bei mir registriert oder soll ich sagen gewarnt worden, sie konnten nicht in mein Webseite schaden anrichten, weil sie sich einfach nicht einloggen konnten, zudem habe ich ein schwieriges Passwort und einen bekloppten Benutzername eingerichtet das verstärkt die Sicherheit des WordPress auch nochmal zusätzlich, aber nur wenn man den Benutzername und Passwort während der Installation sich aussucht und nicht danach
Hallo, in den Einstellungen des Plugins steht "Anmeldungen via Cockies berücksichtigen". Das sollte wohl eher Cookies heißen
Vielen Dank, ich habe das Plugin eben gefunden und installiert. Danke!
Hallo,
ich habe Limit Login Attempts ebenfalls eingebunden und nach diversen Versuchen und Hack-Angriffen wie folgt konfiguriert:
2 erlaubte Versuche, 7200 Minuten Sperrung, 1 Sperrung erhöht 9900 Stunden, 9990 Stunden bis zurücksetzen. Egal wie kurz oder lang die Zeiten konfiguriert sind, schaffen Angriffe immer wieder bis zu 30 Anmeldeversuche. Im Protokoll liegen zwischen drei Versuchen 1 oder 2 Stunden, bis die gleiche IP wieder Anmeldeversuche startet. Nach den o.a. Einstellungen kann das ja eigentlich nicht sein (7200 Min. = 120 Std.).
Hat jemand eine Idee, woran das liegt?
Irgendwer versucht permanent die Seite zu knacken, 7 Tage die Woche, fast ununterbrochen.
Hi
How about adding a feature, to automatically add locked IPs to WP-Ban plugin? This would really help me a lot as now I have to do it manually every time someone locks out.
rgds
Mate
Have you stopped updating this plugin? Does it work with the current WP 3.5.1?
Hej,
Först och främst, tack för en bra plugin!
Jag saknar möjligheten att köra ett lokalt script på servern efter ett definierbart antal utlåsningar för att automatiskt kunna lägga till adresserna i en blocklista i brandväggen.
Är det någonting du skulle kunna tänkas lägga till i framtiden?
MVH
Henrik
Hey Guys,
I currently use the "Limit Login Attempts" Plugin -- so I have a question?! Can I use both "Limit Login Attempts" & "Login LockDown"?? For the reason being that both together will act as DOUBLE Security.... Also they both have totally different functionality. Plus, if one breaks down... or they bypass one of them.
So, I'm assuming they shouldn't conflict with each other, but I'm just wondering if anyone here has already tested these together?
In Many Thanks,
Peter
Hi there,
Is there any way to clear failed login attempts that I make (by mistyping my password) so that I don't lock myself out?
Thank you.
Thanks for the perfect plugin! many thanx again
I've upgraded to WP 3.5.1 and I have WooCommerce and a WooTheme installed. After the upgrade, I can't log into the admin area... I get "You do not have sufficient permissions to access this page." - but if I turn off the Limit Logon Attempts plugin by manually changing the folder via FTP, everything works again. Strange no?
Thanks plugin security admin
hi,
Great plugin, has helped us i'm sure with numerous attempts to hack our site using standard mechanisms - even if it's just to keep an eye on the frequency of attempts.
One thing "Email to admin after X lockouts".
We have 3 admins, but how do we change the person who is currently getting emailed notifications to be someone else?
Many thanks.
Just got a notification from Wordfence that a user was locked out after 20 attempts. However, I set your plugin to lock a user out after less than 5 attempts. I actually didn't realize Wordfence had this feature too. Is there a conflict having both plugins that do the same thing? Why didn't your plugin catch the login attempts before they got as high as 20?
Thanks.
Hayley
I have the same issue as Amal. With the plugin enabled I am unable to log into the admin panel unless I am on the local server. I am also on wordpress 3.5.1
God dag i Sverige,
thanks for the helpful plugin!
One question about the Mails to the Admin-Setting:
Unfortunately, I can't set the number after which an email is sent higher than 1.
Is there another way to do that?
Thanks in advance,
Georg
It's mind-bogglingly staggering the number of attempts that are made on my sites!
I'd love a way to just block some IP addresses, I've got a few that clearly are just pounding on the server and there's no reason to let them continue.
The other thing I'd like to have is just a list of usernames (root, admin, administrator and similar names that I do not use) that I know people are attempting to brute force that as soon as someone types a username in the list they're kicked off for x number of hours (if not blocked).
I guess what I really should like to see (what I should be actually be concerned about) is how often people are trying to brute force usernames that actually exist!
This plug-in is a must have for personal and commercial blogs. I checked the log book after I locked myself out by accident and I noticed a lot of log in attempts from IP addresses I don't recognize. Amazing that some people are even remotely interested in my site!
please update the plugin for better compatiability with 3.5.1 !!! thanks
I change my hosting and it stopped sending mails to email to admin.. I receive other emails but alert mails which send by limit login attempt is no more coming to my mail. I delete and re installed the plugin too
Invaluable. Great piece of work. Thank you very much.
I am getting dozens successful attempts from a single IP in Russia in a second. The lockout feature is working, but not until after many attempts. Any idea what might be going on? I have examples, if that would be helpful. My settings are
Total lockouts 36 lockouts since last reset
Active lockouts 1 IP is currently blocked from trying to log in
Options
Lockout
3 allowed retries
5000 minutes lockout
2 lockouts increase lockout time to 2000 hours
4000 hours until retries are reset
Site connection It appears the site is reached directly (from your IP: 206.72.98.34)
Direct connection
Handle cookie login Yes
Notify on lockout Log IP
Email to admin after 1 lockout
Awesome plugin, thanks a lot for creating it. First time i locked out myself for an hour. Good tip might be to don't set the minutes lockout too long if you want to test it yourself, but... it works!
)
I installed the plugin, but there is no options page for it. Is this a bug, or am I doing something wrong?
Same issue as Ed above. I have installedand activated 1.7.1 on WP 3.5.1 yet don't see a Settings or Options link. Where is found?
Also same question as Peter (28th Jan): Can I have both "Limit Login Attempts" & "Login LockDown" activated at the same time?
I like this a lot. It shows me how slack I have been in managing things and how tough WordPress is at bearing up under these constant attacks.
One feature I would like to ask for: can you provide an exportable list so I can add these jokers to my list of banned IPs?
As an added level of security, some users here might consider Stealth Login Page as well.
I found where the User Setup Options are. It actually shows it in the 3rd Screen Capture provided above the FAQs. In your W/Press admin area click on Settings (on left nav panel) and then click on "Limit Login Attempts' at bottom. This opens the user options.
Just install Limit Login Attempts. I have enabled Email to admin.
There are three admins, one author. But the only email that is sent is to the author. None of the admins rec'd any email.
Any idea what is up with that??
WP v3.5.1
bc
Hi, Johan
I just install this great/helpful plugin for few weeks, and it works well for my wordpress BLOG. So I install it in more of my wordpress systems. This plugin do block and detect lots potential attack, most of them I did not even notice before. Thank you so much, great job ! *bow*
Reverse proxy issue.
I have a number of sites on my Ubuntu 10.04 VPS and have installed Limit Login Attempts on them all.
I am running WP 3.5.1 with nginx in front of Apache (mod_rpaf installed).
I clicked the 'behind reverse proxy' and it tells me:
It appears the site is reached through a proxy server (proxy IP: 1.2.3.4, your IP: 1.2.3.4)
when I am viewing the site from 1.2.3.4, not the true reverse proxy.
Something is wrong here!!!
But it looks a very useful plugin, particularly in the present bot scare.
hi johan:
i like your plug-in but i can't use it as i use direct connection and proxy both. i change the way all the time.
you might know there are many sites was blocked in china and many sites (mostly video) not be able to access from outside of china.
why not give an option as both direct and proxy?
thanx!
yj
After I installed this excellent plugin on my personal site, I installed it on a company site as well. I can configure it just fine on my site, but when I try hitting the Settings -> Limit Login Attempts page to configure it, all I get is a "Are you sure you want to do this?" message with a hyperlink named "Please try again" that takes me back to my WP admin page.
Any idea what's happening?
I've tried deactivating/reactivating and even a reinstall. Nothing changes. The settings page still shows "Are you sure you want to do this?"
Please advise....
Thanks,
greggl
Hello.
Are you able to make this plugin work with WP 3.5.1?
Thank you.
I have installed this plugin, but there is no "setting" or "option" listed with plugin
just details/edit
What am I doing wrong?
I dont onderstand the REVERSE PROXY? Is this a default?
Thanks Mary
Hello,
Plugin very good, I recommend it!
As a suggestion, you could set the warning mail is Delivery? I have several WP with the same e-mail and when attacked I have to look one by one by the mail that is generated does not say that WP is.
Thank you very much, good work
Hi
Thanks for this cool plugin, but since I activated it, I keep being logged out after a few minutes while a backup is running for instance. Does it work with the Wp 3.5.1? I see "Compatible up to: 3.3.2" on the plugin page, so is my bug related to the fact that this plugin isn't compatible yet to the latests wp version? thx
It would be nice for the Lockout log to show some info of when the locks where put into place.
Woah! I'm really digging the template/theme of this site. It's
simple, yet effective. A lot of times it's very difficult to get that "perfect balance" between user friendliness and appearance. I must say that you've done a excellent job with
this. Additionally, the blog loads super fast for me on
Chrome. Excellent Blog!
Hi,
Very nice plugin thanks! As a web host we encourage users to install this plugin. Also discourage users from having a username "admin" as that is the #1 tried login hack name. It would be great if you could add a field (comma separated list?) of usernames to immediately apply "lockouts increase lockout time" to. Just a suggestion.
Thanks!