Login LockDown - A New WordPress Security Plugin
Aug 29th, 2007 by Michael VanDeMar
I am happy to announce the release of Login LockDown, a new plugin for WordPress, designed to help increase security and reduce the chance of someone hacking into your WordPress installation.
With the way WordPress is currently set up, attackers are free to use bots for a brute force style of attack that simply guesses at the admin password until they come up with the correct one. There are a couple of solutions out there, each with their own drawbacks. One solution suggested is to restrict which IP’s that can access the wp-admin folder via .htaccess. The two problems with that is that it inhibits regular users from seeing their user preference page once they log in (which is the default page a user sees), and not every blogger is going to be logging in to their blog from the same IP all of the time.
Another solution involves a plugin that sets up a secondary password using Basic HTTP Authentication. While this will thwart many of the generic bots out there, if a blog is specifically targeted it is easy enough for a hacker to code a bot that will send repeated attempts against that login method as well, and again it does interfere with non-admin users when they attempt to log in (which is really a pain if the admin requires registration in order to comment).
Login LockDown takes a different approach. Every failed login attempt is recorded, along with the timestamp of the attempt and the IP address of the user. If a user tries (and fails) to log in too many times within a certain time period, the system then blocks any login requests coming from that IP range until the lock-out is released. The lock-out period defaults to 1 hour, although that can be changed within the admin panel. The number of retires and the time period that they occur within in order to trigger a lock-out are also configurable from the admin section, and admins do have the ability to release an IP block manually (assuming of course that they haven’t locked themselves out 
).
The download link for the plugin, as well as the instructions, are located on the Bad Neighborhood website, here: Login LockDown v1.0
20 Responses to “Login LockDown - A New WordPress Security Plugin”
Leave a Reply
You must be logged in to post a comment.
[...] More information can be gotten from the Bad Neighborhood Blog [...]
[...] may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded [...]
[...] of Bad Neighborhood blog brings us a new plugin to keep our hackers from login into word press. Login Lockdown will monitor how many times a person tries to log in during a short period of time (say 5 times in [...]
“coming from that IP range”
How wide a range?
Is the lock out log available from the dashboard? Is it flushable? Are the records automatically flushed after a certain period of time?
Blog Strokes,
It currently is set to block out a class C. The log is not yet currently available from the dashboard directly, although the db can be queried for reports, and there is no flush feature yet. I plan to add both the ability to view/export the log and to flush it in a future version of the plugin.
Thanks, Michael, I appreciate the response.
Something else that would be cool would be an alert if the same ip has been locked out ## times within a certain time frame, and the ability to just shut that ip down until further notice with a click when you get the alert.
[...] VanDeMar ha creado el plugin para WordPress Login LockDown. Como su propio nombre ya apunta se trata de un plugin destinado a incrementar la seguridad de [...]
[...] infamous, or, unfortunately, sometimes a outspoken female. WordPress ain’t exactly Fort Knox. Login Lockdown is one plugin that will help. It automatically locks down login for a person for a certain period [...]
[...] Login Lockdown is a plugin that monitors how many times a person tries to log in during a short period of time. If they exceed some key number, LogInLock down will lock them out from logging for some period of time. This will stop those types who will try and guess your user names and passwords. [...]
[...] an IP address from trying to log into your Wordpress admin area after a certain number of attempts. LoginLock will prevent bots from continuously trying different combinations to crack your account. This is [...]
[...] login attempts allowed. It’s not an easy thing to do, but there is a good Wordpress plugin (Login LockDown) available that does this for [...]
great plugin - my site was spammed after someone cracked a user’s password, since installing your plugin it has not happened again.
i have changed your code slightly so i can now see a log of all IPs that have been locked out, and i can see there is an IP address repeatedly trying to gain access to my site that i know is not a legitimate user (i only have three users and no one else can register).
it would be great if there was an option to enter an IP address and it would be permanently locked out.
[...] Login Lockdown is a plugin developed to limit the effectiveness of brute force password attacks on the login [...]
[...] was einfacher und schneller f
[...] may also want to check out Michael
[...] up on the updates is vital, because they include all the security patches. And plug-ins like Login Lockdown by Michael VanDeMar are a good idea [...]
[...] is a plugin by Michael VanDeMar, that I strongly recommend you to [...]
[...] little this little hack can do when faced with a brute force attacks; but here’s where the Login Lockdown plugin comes in. What the plugin does is it logs all failed login attempts and after a set amount of [...]
[...] an IP address from trying to log into your Wordpress admin area after a certain number of attempts. LoginLock will prevent bots from continuously trying different combinations to crack your account. This is [...]
[...] Backup Your WordPress Blog WordPress Security Admin Tools Lockdown WordPress [...]