Limit Login Attempts
A WordPress plugin
Loginscreen during lockout
Limit rate of login attempts, including by way of cookies, for each IP.
NEW: Consider trying version 2.0beta3 (check readme for details).
Description
Limit the number of login attempts possible both through normal login as well as (WordPress 2.7+) using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- (WordPress 2.7+) Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lock out time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
Translations: Bulgarian, Catalan, Czech, German, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
Download
You can always find the latest version to download here.
Installation
- Download and extract plugin files to a folder in your wp-content/plugin directory.
- Activate the plugin through the WordPress admin interface.
- Customize the settings from the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
Requires at least WordPress 2.5, tested up to WordPress 2.8.4. There is a known incompatibility with the Absolute Privacy plugin (it replaces a pluggable function which I cannot work around while supporting WordPress versions prior to 2.8).
Screenshots
- Loginscreen after failed login with retries remaining
- Loginscreen during lockout
- Administration interface in WordPress 2.7
- Administration interface in WordPress 2.5
FAQ
- What is this option about site connection and reverse proxy?
A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.The option default to NOT being behind a proxy — which should be by far the common case. - How do I know if my site is behind a reverse proxy?
You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better. What do I do if I get a notice about it being unable to replace wp_get_current_user()?
Limit Login Attempts no longer replaces any pluggable functions.- Why write a new plugin instead of using Login Lockdown?
When looking at it I was not satisfied with how Login Lockdown solved the technical issues.Then I also found a number of ways to improve things: handle auth cookies login, show users how many login attempts remained and for how long they are locked out. Have the option to notify the admin about lockdowns.
Version History
- Version 1.4.1
- Added Turkish translation, thanks to Yazan Canarkadas
- Version 1.4
- Protect admin page update using wp_nonce
- Added Czech translation, thanks to Jakub Jedelsky
- Version 1.3.2
- Added Bulgarian translation, thanks to Hristo Chakarov
- Added Norwegian translation, thanks to Rune Gulbrandsøy
- Added Spanish translation, thanks to Marcelo Pedra
- Added Persian translation, thanks to Mostafa Soufi
- Added Russian translation, thanks to Jack Leonid (http://studio-xl.com)
- Version 1.3.1
- Added Catalan translation, thanks to Robert Buj
- Added Romanian translation, thanks to Robert Tudor
- Version 1.3
- Support for getting the correct IP for clients while server is behind reverse proxy, thanks to Michael Skerwiderski
- Added German translation, thanks to Michael Skerwiderski
- Version 1.2
- No longer replaces pluggable function when cookie handling active. Re-implemented using available actions and filters
- Filter error messages during login to avoid information leak regarding available usernames
- Do not show retries or lockout messages except for login (registration, lost password pages). No change in actual enforcement
- Slightly more aggressive in trimming old retries data
- Version 1.1
- Added translation support
- Added Swedish translation
- During lockout, really filter out all other login errors
- Minor cleanups
- Version 1.0
- Initial release
Hi People
How are you doing?
Hi author, I want translate your plugin to russian language. Please tell me Your email, simply reply me. Thanks, Fat Cow
Sounds like the plugin I've been looking for! Will it work with WordPress MU? Any idea how it might work with users logging in via Simple:Press Forums?
Our server blocks IPs after 5 failed attempts, but people still lock themselves out. I like the warning messages your plugin implements.
Thanks!
Thank you.
I know people have used it with MU -- apparently successfully -- but I have not tested myself.
I took a brief look at Simple:Press and it appears at first glance to use the normal WP login functions which should make the core functionality work though the warnings will probably not show up in what looked like various inline login forms.
Please report any success or failure!
@Johan
Plugin looks great... I've installed it on a development site I have set up on a local server using XAMPP. If all goes well, I will use on live site.
Good feature is that it doesn't tell you if the username or password is incorrect, so it doesn't give the hackers any clues.
When I test it on my local site, and eventually lock myself out, does deactivating and reactivating the plugin return the failed attempts to zero? Or do I have to remove and reinstall the plugin?
Thanks for sharing.
It can be noted though that there are numerous more subtle ways to find valid user login names in stock wordpress -- the big target for plugin version 2 (unfortunately delayed and still in beta).
Re. lockouts:
The plugin admin page allows you to reset current lockouts. Unfortunately, you have to be able to login to get there...
Currently I never clear active lockouts in any other case (even reinstall) -- I'll put it on the todo list, it is a good idea.
If you have access to the database and are comfortable with SQL (HACK WARNING) you can remove them directly (`UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'`).
I would recommend using a short lockout time while evaluating the plugin. Deactivating the plugin will obviously let you login.
@Johan
Sent details of your plugin to Shinephp and the guy over there did a review... see link below:
http://www.shinephp.com/limit-login-attempts-1-4-1-wordpress-plugin-r...
He recommended your plugin over Login lockdown
I will install on my live site.
Just thought I'd provide some MU / Simple:Press feedback... using our dev. environment, v2.0b3 seemed to work perfectly on our main blog running WPMU 2.8.5.2. It also seems to play nice with Simple:Press since any login errors are shown on the WP login screen, not inline on the Forums page.
I may or may not install this on our production site quite yet though, for the following reason. Limit-Login must be placed in the Plugins folder to work, and then it only works for the blog on which it is activated. We do not want to give all users this level of control. Using WMPU Plugin Manager, I limited activation to the main blog only, and this solves half the problem – sub blogs no longer have access to the plugin, but then it no longer limits/logs login attempts on those blogs either.
Since our primary concern is users locking themselves out after 5 failed logins (via our firewall settings) when signing in on the Forums page, this plugin may very well meet our needs, since only a few users may be logging in directly via their own blog.
I like the ample warning it provides, and how it logs IP addresses. A nice feature would be the ability to remove ban from specific IPs, instead of all at once.
Thanks again, kep up the good work!
Thanks for the feedback.
I've been looking at MU recently and hope to add real support for it once I get 2.0 out the doors.
Amazing plugin.
However, I wish that it can work well with Login with Ajax plugin/widget, as I noticed that the error message produced by the Limit Login Attempts plugin isn't immediately displayed on the Login with Ajax widget. It appears that's a loop delay ... Strange??
Please keep me posted if there's a possible solution to this 'hiccup' ...
Cheers ... Jason
Would love better support for MU if possible! Loving what this plugin provides so far on the main blog! Thanks for your work.
Very cool Plugin ! Thanks!
How in work rhis plugin in wordpress 2.9.1?
Hey,
I use wordpress mu(2.9.1.1) and I just spent some time reworking the plugin(1.4.1) to be more MU friendly. I will mention that this plugin works FANTASTICLY with wordpress mu 2.9.1.1.... Other Mu users may find this usefull... A couple things...
first, I set the variables at the top of the plugins .php file i wanted to be global. The file is very well noted by the author, OMG thank you! Very easy to control what variables the plugin activates with thanks to great coding and thoughtful notation.
Then I changed the function that mails lockout notification to the administrator, so that it will email the super site admin(me) rather than that particular sub blogs admin.. what i did was modify the get_option in line394 to say:
@wp_mail(get_site_option('admin_email'), $subject, $message);
Then, i changed the code where it constructs the plugins dashboard submenu. I changed it so that it would show under the site admin menu instead of settings. that way only the super site admin can see it and not the sub blog administrators. I changed Line 607 to:
add_submenu_page('wpmu-admin.php', 'Limit Login Attempts', 'Limit Login Attempts', 10, 'limit-login-attempts', 'limit_login_option_page');
Then I used the plugin manager to auto-activate the plugin for all users sitewide.. that way any newly generated blogs will automatically activate the plugin with the settings I want, and having moved the menu, users cant modify them.
It is important to note, that if the plugins menu is accessable to your users, they can deactivate the plugin. Rather than attempt to solve this, i will just hope that my users are not that stupid.
hope this helps...
oh, the settings I changed to my likeing were;
login attempts moved to 5,
lockout time decreased to 15 min.
lockout log settings changed to 'log, email'
and notify email after 1 lockout
Johan,
I've made a Dutch translation for your nice plugin. I've made it already available through my own website, but I hope you will add it to the plugin so no extra steps are needed any more to use your plugin in Dutch.
The translation zip file can be downloaded here: http://www.burobjorn.nl/blog/wp-content/uploads/2010/03/limit-login-a...
Thanks for providing your plugin to the community!
All the best,
Bjornw
Hi.
I'm looking for an addon like this but with a captcha function instead of block the login form. Can you add this feature? Or if you want I can tell you my idea, modify the code and send the patch.
Big regards
Hello,
Will you be adding support for preventing multiple people logging into an account even if they know the correct passwords? I want to lockout people that share their account details too. Something similar to this http://www.newmedias.co.uk/your-minder/ I love yours and need it but also need the capabilities of what the other developer offers.
Is that something you would consider adding into your functionality? Or do you suggest that I get both?
Thanks,
Richard Wing
Hello
I just finished the French translation of your plugin: limit-login-attempts
You'll find it here: http://doku.host56.com/wplugins/limit-login-attempts-fr_FR.zip
Can be integrated into a future version?
Thank you in advance!
oVa
Hi Johan
I've made a Brazilian Portuguese translation for this plugin, based on version 2.0beta3. I've made it available through Mediafire: http://www.mediafire.com/?kjyrfx96b0xfo49
I hope you include it in 2.0final. Also, feel free to contact me via e-mail, for future updates.
Regards.
Gervásio.
request: in the Lockout log, date and time would be great!
I would also love a dashboard stats window.
Weston,
Thanks for the suggestion. I'll probably add that.
awesome plugin thanks a lot ! It helped me detect people trying to break in quite a few times
Hi, Johan.
While testing a translation service site, I made Finnish translation for this plugin. It can be found from:
http://crowdin.net/project/wp-limit-login-attempts-plugin
Feel free to download it, include it in build, etc.
Feedback on translation accuracy also appreciated (if there're any Finns online).
-Ari
Ari,
Thank you. I'll queue it up for next release.
Not working under WP 3.01
Limit Login Attempts is a great plugin, but I'm afraid there is a tiny regression in it (as of 1.5.1):
When you fail to login, the login counter for your IP address is increased by one. If you successfully login on the next attamep (and here is the bug:) the attempts counter should be restored to zero, but it remains unchanged.
Although I believe "reseting to zero" is a mandatory feature, if you think it may not be desirable by all users, you can make it an option config.
Keep up the good work!
Beatus,
Could you describe the problem in more detail? Perhaps mail me the details as johan.eenfeldt@kostdoktorn.se? What is not working, what happens instead, version of plugin, etc.
Huji,
That is very much by design, and have been that way since day 0.
Otherwise it would be possible to attack admin using 1 less than allowed retries. Then reset retries by loggin in to a normal account.
Hi Johan,
It seems something strange is going on with ths plugin on my site.
I go to my blog, go to the login page, and when I get there, it already says "too many failed login attempts" and locks me out for 19 minutes. Even if I haven't been to my blog for a week or so. What does this mean?
Thanks in advance,
Nicole
Nicole,
Thank you for the report.
I wont be able to investigate in detail until this evening (local time) but it sounds like there is a bug in how the plugin handles failed cookie login. If old cookies don't get cleared as they should it result in a failed login each pageload -- on the login page or not.
I made what I thought was a my small simplification in that code for the latest release, so it is possible I made an error.
Try to disable cookie login handling in the plugin options.
I'll check it in a few hours.
Hmm, having looked at it and tested the code I cannot find any problems. It still sounds like something regarding auth cookie handling, but I cannot see how it could happen.
Do you use any plugins that affect login and/or cookie behaviour?
Great plugin and I'll queue it up for next release.
Good job alls!
Thank you!