Limit Login Attempts
A WordPress plugin
Loginscreen during lockout
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
Description
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lock out time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
Download
You can always find the latest version to download here.
Installation
- Download and extract plugin files to a folder in your wp-content/plugin directory.
- Activate the plugin through the WordPress admin interface.
- Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
Requires at least WordPress 2.8, tested up to WordPress 3.1-RC4.
Screenshots
- Loginscreen after failed login with retries remaining
- Loginscreen during lockout
- Administration interface in WordPress 2.7
FAQ
- Why not reset failed attempts on a successful login?
This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt. - What is this option about site connection and reverse proxy?
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.The option default to NOT being behind a proxy — which should be by far the common case. - How do I know if my site is behind a reverse proxy?
You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better. What do I do if I get a notice about it being unable to replace wp_get_current_user()?
Limit Login Attempts no longer replaces any pluggable functions.- Why write a new plugin instead of using Login Lockdown?
When looking at it I was not satisfied with how Login Lockdown solved the technical issues.Then I also found a number of ways to improve things: handle auth cookies login, show users how many login attempts remained and for how long they are locked out. Have the option to notify the admin about lockdowns.
Hi People
How are you doing?
Hi author, I want translate your plugin to russian language. Please tell me Your email, simply reply me. Thanks, Fat Cow
Sounds like the plugin I've been looking for! Will it work with WordPress MU? Any idea how it might work with users logging in via Simple:Press Forums?
Our server blocks IPs after 5 failed attempts, but people still lock themselves out. I like the warning messages your plugin implements.
Thanks!
Thank you.
I know people have used it with MU -- apparently successfully -- but I have not tested myself.
I took a brief look at Simple:Press and it appears at first glance to use the normal WP login functions which should make the core functionality work though the warnings will probably not show up in what looked like various inline login forms.
Please report any success or failure!
@Johan
Plugin looks great... I've installed it on a development site I have set up on a local server using XAMPP. If all goes well, I will use on live site.
Good feature is that it doesn't tell you if the username or password is incorrect, so it doesn't give the hackers any clues.
When I test it on my local site, and eventually lock myself out, does deactivating and reactivating the plugin return the failed attempts to zero? Or do I have to remove and reinstall the plugin?
Thanks for sharing.
It can be noted though that there are numerous more subtle ways to find valid user login names in stock wordpress -- the big target for plugin version 2 (unfortunately delayed and still in beta).
Re. lockouts:
The plugin admin page allows you to reset current lockouts. Unfortunately, you have to be able to login to get there...
Currently I never clear active lockouts in any other case (even reinstall) -- I'll put it on the todo list, it is a good idea.
If you have access to the database and are comfortable with SQL (HACK WARNING) you can remove them directly (`UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'`).
I would recommend using a short lockout time while evaluating the plugin. Deactivating the plugin will obviously let you login.
@Johan
Sent details of your plugin to Shinephp and the guy over there did a review... see link below:
http://www.shinephp.com/limit-login-attempts-1-4-1-wordpress-plugin-r...
He recommended your plugin over Login lockdown
I will install on my live site.
Just thought I'd provide some MU / Simple:Press feedback... using our dev. environment, v2.0b3 seemed to work perfectly on our main blog running WPMU 2.8.5.2. It also seems to play nice with Simple:Press since any login errors are shown on the WP login screen, not inline on the Forums page.
I may or may not install this on our production site quite yet though, for the following reason. Limit-Login must be placed in the Plugins folder to work, and then it only works for the blog on which it is activated. We do not want to give all users this level of control. Using WMPU Plugin Manager, I limited activation to the main blog only, and this solves half the problem – sub blogs no longer have access to the plugin, but then it no longer limits/logs login attempts on those blogs either.
Since our primary concern is users locking themselves out after 5 failed logins (via our firewall settings) when signing in on the Forums page, this plugin may very well meet our needs, since only a few users may be logging in directly via their own blog.
I like the ample warning it provides, and how it logs IP addresses. A nice feature would be the ability to remove ban from specific IPs, instead of all at once.
Thanks again, kep up the good work!
Thanks for the feedback.
I've been looking at MU recently and hope to add real support for it once I get 2.0 out the doors.
Amazing plugin.
However, I wish that it can work well with Login with Ajax plugin/widget, as I noticed that the error message produced by the Limit Login Attempts plugin isn't immediately displayed on the Login with Ajax widget. It appears that's a loop delay ... Strange??
Please keep me posted if there's a possible solution to this 'hiccup' ...
Cheers ... Jason
Would love better support for MU if possible! Loving what this plugin provides so far on the main blog! Thanks for your work.
Very cool Plugin ! Thanks!
How in work rhis plugin in wordpress 2.9.1?
Hey,
I use wordpress mu(2.9.1.1) and I just spent some time reworking the plugin(1.4.1) to be more MU friendly. I will mention that this plugin works FANTASTICLY with wordpress mu 2.9.1.1.... Other Mu users may find this usefull... A couple things...
first, I set the variables at the top of the plugins .php file i wanted to be global. The file is very well noted by the author, OMG thank you! Very easy to control what variables the plugin activates with thanks to great coding and thoughtful notation.
Then I changed the function that mails lockout notification to the administrator, so that it will email the super site admin(me) rather than that particular sub blogs admin.. what i did was modify the get_option in line394 to say:
@wp_mail(get_site_option('admin_email'), $subject, $message);
Then, i changed the code where it constructs the plugins dashboard submenu. I changed it so that it would show under the site admin menu instead of settings. that way only the super site admin can see it and not the sub blog administrators. I changed Line 607 to:
add_submenu_page('wpmu-admin.php', 'Limit Login Attempts', 'Limit Login Attempts', 10, 'limit-login-attempts', 'limit_login_option_page');
Then I used the plugin manager to auto-activate the plugin for all users sitewide.. that way any newly generated blogs will automatically activate the plugin with the settings I want, and having moved the menu, users cant modify them.
It is important to note, that if the plugins menu is accessable to your users, they can deactivate the plugin. Rather than attempt to solve this, i will just hope that my users are not that stupid.
hope this helps...
oh, the settings I changed to my likeing were;
login attempts moved to 5,
lockout time decreased to 15 min.
lockout log settings changed to 'log, email'
and notify email after 1 lockout
Johan,
I've made a Dutch translation for your nice plugin. I've made it already available through my own website, but I hope you will add it to the plugin so no extra steps are needed any more to use your plugin in Dutch.
The translation zip file can be downloaded here: http://www.burobjorn.nl/blog/wp-content/uploads/2010/03/limit-login-a...
Thanks for providing your plugin to the community!
All the best,
Bjornw
Hi.
I'm looking for an addon like this but with a captcha function instead of block the login form. Can you add this feature? Or if you want I can tell you my idea, modify the code and send the patch.
Big regards
Hello,
Will you be adding support for preventing multiple people logging into an account even if they know the correct passwords? I want to lockout people that share their account details too. Something similar to this http://www.newmedias.co.uk/your-minder/ I love yours and need it but also need the capabilities of what the other developer offers.
Is that something you would consider adding into your functionality? Or do you suggest that I get both?
Thanks,
Richard Wing
Hello
I just finished the French translation of your plugin: limit-login-attempts
You'll find it here: http://doku.host56.com/wplugins/limit-login-attempts-fr_FR.zip
Can be integrated into a future version?
Thank you in advance!
oVa
Hi Johan
I've made a Brazilian Portuguese translation for this plugin, based on version 2.0beta3. I've made it available through Mediafire: http://www.mediafire.com/?kjyrfx96b0xfo49
I hope you include it in 2.0final. Also, feel free to contact me via e-mail, for future updates.
Regards.
Gervásio.
request: in the Lockout log, date and time would be great!
I would also love a dashboard stats window.
Weston,
Thanks for the suggestion. I'll probably add that.
awesome plugin thanks a lot ! It helped me detect people trying to break in quite a few times
Hi, Johan.
While testing a translation service site, I made Finnish translation for this plugin. It can be found from:
http://crowdin.net/project/wp-limit-login-attempts-plugin
Feel free to download it, include it in build, etc.
Feedback on translation accuracy also appreciated (if there're any Finns online).
-Ari
Ari,
Thank you. I'll queue it up for next release.
Not working under WP 3.01
Limit Login Attempts is a great plugin, but I'm afraid there is a tiny regression in it (as of 1.5.1):
When you fail to login, the login counter for your IP address is increased by one. If you successfully login on the next attamep (and here is the bug:) the attempts counter should be restored to zero, but it remains unchanged.
Although I believe "reseting to zero" is a mandatory feature, if you think it may not be desirable by all users, you can make it an option config.
Keep up the good work!
Beatus,
Could you describe the problem in more detail? Perhaps mail me the details as johan.eenfeldt@kostdoktorn.se? What is not working, what happens instead, version of plugin, etc.
Huji,
That is very much by design, and have been that way since day 0.
Otherwise it would be possible to attack admin using 1 less than allowed retries. Then reset retries by loggin in to a normal account.
Hi Johan,
It seems something strange is going on with ths plugin on my site.
I go to my blog, go to the login page, and when I get there, it already says "too many failed login attempts" and locks me out for 19 minutes. Even if I haven't been to my blog for a week or so. What does this mean?
Thanks in advance,
Nicole
Nicole,
Thank you for the report.
I wont be able to investigate in detail until this evening (local time) but it sounds like there is a bug in how the plugin handles failed cookie login. If old cookies don't get cleared as they should it result in a failed login each pageload -- on the login page or not.
I made what I thought was a my small simplification in that code for the latest release, so it is possible I made an error.
Try to disable cookie login handling in the plugin options.
I'll check it in a few hours.
Hmm, having looked at it and tested the code I cannot find any problems. It still sounds like something regarding auth cookie handling, but I cannot see how it could happen.
Do you use any plugins that affect login and/or cookie behaviour?
Great plugin and I'll queue it up for next release.
Good job alls!
Thank you!
Thanks for the great plug in. I'm recommending it for all my clients.
I too have seen the too many failed login attempts message, and indeed disabling the cookie login handling takes care of it.
On this particular site, there is a simple:press forum, as well as a content protection script (DAP), and I'm just wondering if those could be part of the cause. I know that the forum "remembers" me pretty much indefinitely, but I'm prompted to login to the content-protected area.
Additionally, the "Secret keys" and "Salt" in wp-config was updated from the defaults a few days prior to noticing the problem. No idea if that could be part of the cause. Seems like after happening maybe once, it should be good to go.
Anyway, disabling the cookie handling solves it, but wanted to provide a little more info in case it triggers any thoughts on what might be happening!
Thanks again,
Tim
This is a great plugin.
Are there plans to add the ability to set safe IP addresses? I have a couple of WP sites, and it seems that when I login to one and then try to log in to the other, I get locked out. I get in by deleting the file but I wish I could set my IP as a safe location.
Hi, I experienced something that looks similar to what Huji wrote above:
After a failed login attempt and a subsequent successful login, I log out and there is still that warning message "x attempts remaining". I think this can be quite confusing. Even if it makes sense to keep on counting for a certain time after a successful login, it would be good not to display that warning directly after logging out. I would display it again only after another failed login has occurred. The warning is useful as information only when a login has failed right before.
Also, I would appreciate an option in the settings to reset counting to zero after *every* successful login. This still gives a good deal of protection because logging in every xth time with a known password in order to guess the admin password would take quite a while and some admins might be willing to take that risk.
thanks
Also want to recommend another plugin thats calld "badbehavior", it blocks alot of bots and other things that spider around on the web.
Hello, my hosting company has isolated a problem that keeps bringing down our website. I'm contacting the developers of all the plugins i'm using to see if it could be their plugin that's the cause of this problem. Listed below:
Hello Chris,
The problem you are having is due to some processes running on
74.43.13.1 and 12.166.36.250 that are trying to connect to closed ports
resulting in one-hour blocks of the IPs by the hosting server's
firewall. For example, we are seeing a large number of attempts to
access port 389 which is the LDAP port even though we don't offer LDAP
services. Similar hits are seen coming from both 74.43.13.1 and
12.166.36.250.
Nov 17 13:27:41 *TCP_IN Blocked* SRC=74.43.13.1 DST=209.236.73.59
PROTO=TCP SPT=14368 DPT=389
Nov 17 13:27:43 *TCP_IN Blocked* SRC=74.43.13.1 DST=209.236.73.59
PROTO=TCP SPT=14346 DPT=389
Nov 17 13:27:47 *TCP_IN Blocked* SRC=74.43.13.1 DST=209.236.73.59
PROTO=TCP SPT=14368 DPT=389
Another example, is a process running from port 60073 on 12.166.36.250
today that scanned UDP ports 33590 through 33623 between 12:16:37 MST
and 12:19:22 MST. This port scan resulted in the following one-hour
block:
Nov 17 12:19:26 *Port Scan* detected from 12.166.36.250 (US/United
States/-). 21 hits in the last 102 seconds - Blocked for 3600 secs
Nov 17 13:19:30 Incoming IP 12.166.36.250 temporary block removed
The processes running on 74.43.13.1 and 12.166.36.250 that are scanning
our hosting server's ports need to be stopped. If they continue to run,
the IPs will continue to get blocked as they have dating back to
November 3. Some of the firewall's blocks last one hour and some last
three hours or more depending on the perceived severity.
Any chance of an ip white list section added to the plugin at all ?
Hi!
I have switched on WP_DEBUG on my test blog and try to minimize PHP notices which are output. Your plugin is responsible for one of them: "Notice: load_plugin_textdomain was called with an argument that is deprecated since version 2.7 with no alternative available."
The correct syntax of line 99 in the plugin file should be:
load_plugin_textdomain('limit-login-attempts', false, dirname(plugin_basename(__FILE__)));
See: http://codex.wordpress.org/Function_Reference/load_plugin_textdomain
It would be great if you could change this for the next plugin release! Thanks a lot for coding this in the first place!
Regards,
Johannes
Johannes,
Will fix. Thank you!
I changed my URL's in WordPress from mysite.com to http://www.mysite.com and when I tried to log in the plugin started counting attempts and now I am locked out of my site.
How do I get back in?
To remove lockout:
http://wordpress.org/extend/plugins/limit-login-attempts/faq/
... and thank you for the report. I've been chasing the bug where cookie limit will sometimes kick in and apparently not clear invalid cookies. This gives me another idea to test.
It would be very nice if you update the changelog
I have, but apparently it takes a while to update on wordpress.org sometimes. Check the readme.txt for now!
Türkçe
Last time, I tried Login Lockdown on a local server. It messed up my local test site and locked me out. I'm gonna try this version and hope it works for me. A lot of my blogger friends are recommending this and feeling really secure about their blogs.
Hope it works out better for you. Please check the FAQ if you lock yourself out testing this thing.
When this plugin was suggested, I wondered why anyone would want to log into my website. I still do not know the answer but for the past 5 days, someone has been trying to get into my admin page. I have had about 20 "Too many failed login attempts" emails. Although I am sure it is only one hacker, there have been at least 3 different IP addresses. Thank you for protecting my work.
Great plugin! I'm using it on several sites and have never had a problem with it.
If you accept donations for your work I'd love to buy you a cup of coffee
I installed it, nice plugin.
I enabled it, and I still see I am getting hammered but some remote server that keeps on trying anyway. I am sure it does not know it is "blocked". A nice hack/extension would be to optionally add the offending IP address to .htaccess. Even if you lock yourself out accidentally, you could update the .htaccess file.
Maybe another idea is to perhaps not send *any* response to reduce the frequency of the attacks.
Mace, thanks for your comments. It is a situation I've thought a bit about.
From a password security angle it doesn't matter really if they keep trying once you've got this plugin active. They will not be able to brute force the password. You still want to use a decent password to be safe of course, in which case we're talking age of the universe timespan to break it.
It is still annoying though. If they do it often enough it might also be considered a DOS security issue.
There is the issue however of multiple users behind the same NAT/proxy (at a company or university for example).
Right now they won't be able to log in if they have a bad guy on the same network. If you block the ip in .htaccess they won't be able to access the site at all. And this is a situation that will get more and more common now that we're kind of out of ip4 addresses.
It would also require the .htaccess file to be writable by the web server at all times, which is a security issue of its own.
I'm still thinking about it, but I don't think it would be a good idea for most people.