I am happy to announce the release of Login LockDown, a new plugin for WordPress, designed to help increase security and reduce the chance of someone hacking into your WordPress installation.
With the way WordPress is currently set up, attackers are free to use bots for a brute force style of attack that simply guesses at the admin password until they come up with the correct one. There are a couple of solutions out there, each with their own drawbacks. One solution suggested is to restrict which IP’s that can access the wp-admin folder via .htaccess. The two problems with that is that it inhibits regular users from seeing their user preference page once they log in (which is the default page a user sees), and not every blogger is going to be logging in to their blog from the same IP all of the time.
Another solution involves a plugin that sets up a secondary password using Basic HTTP Authentication. While this will thwart many of the generic bots out there, if a blog is specifically targeted it is easy enough for a hacker to code a bot that will send repeated attempts against that login method as well, and again it does interfere with non-admin users when they attempt to log in (which is really a pain if the admin requires registration in order to comment).
Login LockDown takes a different approach. Every failed login attempt is recorded, along with the timestamp of the attempt and the IP address of the user. If a user tries (and fails) to log in too many times within a certain time period, the system then blocks any login requests coming from that IP range until the lock-out is released. The lock-out period defaults to 1 hour, although that can be changed within the admin panel. The number of retires and the time period that they occur within in order to trigger a lock-out are also configurable from the admin section, and admins do have the ability to release an IP block manually (assuming of course that they haven’t locked themselves out 😀 ).
The download link for the plugin, as well as the instructions, are located on the Bad Neighborhood website, here: Login LockDown v1.0