I am happy to announce the release of Login LockDown, a new plugin for WordPress, designed to help increase security and reduce the chance of someone hacking into your WordPress installation.
With the way WordPress is currently set up, attackers are free to use bots for a brute force style of attack that simply guesses at the admin password until they come up with the correct one. There are a couple of solutions out there, each with their own drawbacks. One solution suggested is to restrict which IP’s that can access the wp-admin folder via .htaccess. The two problems with that is that it inhibits regular users from seeing their user preference page once they log in (which is the default page a user sees), and not every blogger is going to be logging in to their blog from the same IP all of the time.
Another solution involves a plugin that sets up a secondary password using Basic HTTP Authentication. While this will thwart many of the generic bots out there, if a blog is specifically targeted it is easy enough for a hacker to code a bot that will send repeated attempts against that login method as well, and again it does interfere with non-admin users when they attempt to log in (which is really a pain if the admin requires registration in order to comment).
Login LockDown takes a different approach. Every failed login attempt is recorded, along with the timestamp of the attempt and the IP address of the user. If a user tries (and fails) to log in too many times within a certain time period, the system then blocks any login requests coming from that IP range until the lock-out is released. The lock-out period defaults to 1 hour, although that can be changed within the admin panel. The number of retires and the time period that they occur within in order to trigger a lock-out are also configurable from the admin section, and admins do have the ability to release an IP block manually (assuming of course that they haven’t locked themselves out 😀 ).
The download link for the plugin, as well as the instructions, are located on the Bad Neighborhood website, here: Login LockDown v1.0
Pingback: WBW (Worldwide Blog Wrestling) Presents… » Announcing Login LockDown - A New Security Plugin for WordPress
Pingback: Protecting the Wordpress wp-admin folder
Pingback: Login Lockdown! Keep Wordpress Safe. : Big Bucks Blogger
“coming from that IP range”
How wide a range?
Is the lock out log available from the dashboard? Is it flushable? Are the records automatically flushed after a certain period of time?
Blog Strokes,
It currently is set to block out a class C. The log is not yet currently available from the dashboard directly, although the db can be queried for reports, and there is no flush feature yet. I plan to add both the ability to view/export the log and to flush it in a future version of the plugin.
Thanks, Michael, I appreciate the response.
Something else that would be cool would be an alert if the same ip has been locked out ## times within a certain time frame, and the ability to just shut that ip down until further notice with a click when you get the alert.
Pingback: Login LockDown, plugin para WordPress | La brujula verde
Pingback: Security WordPress Plugin and Comment WordPress Plugin
Pingback: How To Make Your Wordpress Blog Safer : Pingable.org | Blogging & Design
Pingback: 8 Security Tips and Guidelines for your WordPress Blog
Pingback: How my Blog Got Hacked - SEOlogs.com
great plugin – my site was spammed after someone cracked a user’s password, since installing your plugin it has not happened again.
i have changed your code slightly so i can now see a log of all IPs that have been locked out, and i can see there is an IP address repeatedly trying to gain access to my site that i know is not a legitimate user (i only have three users and no one else can register).
it would be great if there was an option to enter an IP address and it would be permanently locked out.
Pingback: Five Tips For Making Your Wordpress Site More Secure · Themey
Pingback: WordPress sicherer machen | WordPress-Buch
Pingback: Complete Guide to Protect Your Wordpress Blog! | Earnbux Online
Pingback: What To Do About Cracker, Hackers, and Other Web Prowlers.
Pingback: Protect Your WordPress Installation Against Brute Force Attacks by Tdot - Blog
Pingback: Fighting Blog Hacks: Preventing And Eliminating Intruders | Lost Art Of Blogging
Pingback: Security Tips and Guidelines for Your Wordpress Blog |
Pingback: Top 10 Security and Protection Plugins for Wordpress | Creation Robot
Will try this and see if it’s good for bruteforce attacks. thanks..
All I’ve read recently about wordpress is how vulnerable to attack it is, worm attacks and sql injection… so anything that helps protect a site has got to be a good thing.
There are lots of “How to protect your blog” posts out there, but this looks easy to install and set up.
Thanks for taking the time, I’ll download and install ASAP.
Just sayin’ thanks for all the work you’ve done for this plug-in! Works like a charm, and should be in every wordpress site by default.