Limit Login Attempts
A WordPress plugin
Loginscreen during lockout
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
Description
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lock out time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
Download
You can always find the latest version to download here.
Installation
- Download and extract plugin files to a folder in your wp-content/plugin directory.
- Activate the plugin through the WordPress admin interface.
- Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
Requires at least WordPress 2.8, tested up to WordPress 3.1-RC4.
Screenshots
- Loginscreen after failed login with retries remaining
- Loginscreen during lockout
- Administration interface in WordPress 2.7
FAQ
- Why not reset failed attempts on a successful login?
This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt. - What is this option about site connection and reverse proxy?
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.The option default to NOT being behind a proxy — which should be by far the common case. - How do I know if my site is behind a reverse proxy?
You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better. What do I do if I get a notice about it being unable to replace wp_get_current_user()?
Limit Login Attempts no longer replaces any pluggable functions.- Why write a new plugin instead of using Login Lockdown?
When looking at it I was not satisfied with how Login Lockdown solved the technical issues.Then I also found a number of ways to improve things: handle auth cookies login, show users how many login attempts remained and for how long they are locked out. Have the option to notify the admin about lockdowns.
Hello,
We are using your plugin....and so we thought to make a link at your page
http://www.automotivespace.it/connessioni/
Many thanks
The Log of lockout IP addresses worked on first install but after using the clear log button, the locked-out ip addresses are no longer displayed. The header and clear log button are also missing. Have you got any suggestions to fix ?
Sorry, meant to say after using the clear log button new, subsequent lockouts are not appearing even though I've been getting notification via email telling me there have been failled login attempts.
The same issue here. The log went missing after I cleared it.
An Improvement would be that there is an option to send the emails to a different address.
Gary, Mau
Thanks for the report. This is fixed in 1.6.2. Sorry for the delay.
Hi Johan
Great plugin - just updated.
Thanks for doing such a great job.
I use your plugin on all my clients sites.
Your plugin is much appreciated.
Hey Johan,
Great plugin! I use it for years.
It would be super to see the dates in the logout log. Right now we see the IPs and the usernames. Then I'd like to see a third column with the dates -- and perhaps a drop-down or something when there were more than one tries per IP/UN.
Either way, keep it up!
Have just installed updated plugin but log still not showing. Do I have to wait until there's another lockout (post-installation) or do I have to clear database entries (if so which ones) ?
New lockouts will show in the log.
Hi,
I just updated the Limit Logins plugin a couple of days ago. This morning, when I tried to login, the plugin would not recognize any of my userids or passwords. Yet, when I went to one of my posts and clicked the "Site Admin" link, I got to the admin page without any problem. Very strange.
Since I can't tell what's going on, I deactivated the plugin for the moment to avoid getting completely locked out. Has anyone else run into this problem?
Thanks,
Chris
I haven't had any reported problems so far, and I cannot think of anything that could result in your situation. You obviously get logged in and the correct cookie set, or you would not get the admin bar at all.
Do you have any other plugin that does login related stuff?
Thanks fou this plugin,useful a lot
One question: How to display date in log block?
Today's date is shown on log in, is important.
Johan,
Great plugin. Any thoughts about adding a way to configure what email address the admin logs are sent to? It would be nice to be able to send alerts to another email address rather than the default WP admin email.
Hi Johan,
How do I customize, as I don't get the normal Options configuration panel in my dashboard?
Regards
Mike
Once the plugin is activated there should be an option page under the "Settings" menu.
Something like:
http:///wp-admin/options-general.php?page=limit-login-attempts
Nothing is shown on the dashboard page right now.
On my most popular site I used your login and it opened my eyes to stuff going on I had never noticed before. Thanks...
Is there a tool in your plugin to help with something like this? Or any recommendation?
Lockout log
IP Tried to log in as
213.251.189.201 justin82 (3 lockouts)
67.228.21.218 justin82 (2 lockouts)
62.75.244.128 justin82 (6 lockouts)
74.53.173.146 justin82 (6 lockouts)
200.0.176.43 justin82 (4 lockouts)
208.69.122.25 justin82 (4 lockouts)
193.202.110.175 justin82 (4 lockouts) ... and it continues
If you only allow login from admin-type users you can tighten the plugin settings somewhat, but default settings are safe as long as you have decent passwords.
With a strong passwords it would take millions of years to brute-force crack, even with multiple IP trying. Still annoying though.
I recommend 12+ random character passwords and preferably a password manager.
Right on... thanks for answering. Annoying is right. I read an article about recommended security for wordpress and your widget was on the list. When I loaded it I saw things that I did not know were going on... I have seriously beefed up security.
Thanks for writing this, its cool.
Cheers
I use this plugin in combination with "login logger". I notice that when a user is locked every attempt is still logged by "login logger". I'm worried it flood my server db.
Is it possible to add a feature to stop processing other plugins when locked?
(i don't know what a hacker uses to bruteforce. But do theire scripts see the "locked" status?)
Thanks for a great plugin. A Russian IP is trying to get into a blog I manage. I'm glad I was able to block them.
another feature request. Like to have a whitelist feature for users. This is handy for creating a second admin account which can always unlock.
Hey Johan, any news as to when you'll include the dates in the logout log?