WordPress › Login Dongle « WordPress Plugins

The bookmarklet that allows to login nobody but you. Simple and secure.

It's not working. What's the problem?

I'm going to fix any new bugs you find, but please try the last stable version, maybe it's already fixed.

Prior to version 1.4.0
- the Theme My Login plugin and the Login Dongle plugin didn't work together. See below.
Prior to version 1.2.2
- the jQuery library was not made available on the login page.
- the dongle didn't work with Get New Password button.
Prior to version 1.2.1
- a valid login could be rejected if the challenge or response contained quotes.
Prior to version 1.2.0
- the dongle encoding was not compatible with a SmartPhone browser.
Prior to version 1.1.0
- the challenge could interfere with other login fields.
- the dongle bypassed possible plugins associated to the submit button.
Prior to version 1.0.4
- the dongle and the activation procedure didn't work due to last minute bugs.
Prior to version 1.0.3
- it was impossible to install the plugin due to its file structure.

I've lost my login dongle. How can I access my blog now?

If you lost your login dongle, you can disable this plugin very easily.

Access your blog by means of your usual remote file manager, like an FTP client.
Edit the login-dongle.php file in the login-dongle plugin directory.
Comment the line $loginDonglePlugin = new LoginDonglePlugin(); by adding // at the beginning.
Save the file back to your site.

This emergency procedure will make the default Log In button work again. After logging in, undo what you did above, otherwise this plugin will be marked as Active while being inactive. Then you can deactivate it with the WordPress button or leave it working.

Is Login Dongle compatible with other login plugins?

Login Dongle does not touch any element of the standard login functionality (page, fields, buttons, processing ...) of WordPress, so you should be able to run this plugin alongside any other login plugin, like the wonderful Limit Login Attempts plugin. If you find issues, feel free to contact me and I'll have a look.

Theme My Login (at least up to v6.2.2) is not comptible with Login Dongle out of the box. In Login Dongle v1.4.0 I added support for Theme My Login. Unfortunately, you need to add a missing line into the code of that plugin. In fact WP 3.2 introduced the login_init hook (that I use) but Theme My Login lacks it. To fix Theme My Login you'll need to

edit the file *theme-my-login/includes/class-theme-my-login.php*.

search for the text 'login_form'. That line and the one before should read:

// allow plugins to override the default actions, and to add extra actions if they want
do_action( 'login_form_' . $action );

add a line in between, reading:
```
do_action( 'login_init' );
```
save the file

Can I use Login Dongle instead of Limit Login Attempts (or the likes)?

I would not. Login Dongle is designed to work in conjunction with brute force attacks repellers like Limit Login Attempts and the likes.

What those plugins do is to block access to internet users trying to log in but not being allowed many times in a row. When that occurs, the recorded intruder's IP is used to reject their following login requests during some time, even before matching their credentials against the database.

What Login Dongle does is to cut off the processing of the login form if it does not have a special field (question) or if that field does not contain the special value (answer) stored in the database of your blog, even before running the repeller or any special authentication plugins.

To save your precious resources (CPU time and web availability) when under attack, Login Dongle simply exits with a configurable message, instead of incurring into another page generation cycle.

Can I use a simple answer for my question?

Yes, because if someone stole your dongle, they are supposed to not know the correct answer, which is only stored in the database. If they guess it, they only gain the right to process the login form on the server, but they still need to guess your unknown (and strong) password. That means that soon they will be locked out by your brute forse attack repeller.

However, if you allow your browser to fill in your credentials automatically, and someone is going to use your unattended PC, you easily realize that in this scenario all security relies on the unguessability of the response. If you think that such a scenario is going to happen some time, you better setup a strong response.

Limit Login Attempts (or the likes) notified me about some attacks. What can I do?

Login Dongle makes a brute force attack impossible without knowing the correct challenge >> response. Anyway, if a brute force attack repeller notifies you of an attack, you only need to edit the Login Dongle section of your Profile. Change both the challenge and response, and you're done. As soon as you save your changes, the attack will immediately stop because Login Dongle will expect the new challenge >> response to be submitted along with the login form.

Limit Login Attempts (or the likes) notified me about some attacks. How can it be?

The chance to get notified of an attack after installing Login Dongle is extremely little. If it occurred it'd mean that both

they know the question because
- either you told them
- or they got access to your login dongle at least once since you changed it the last time
  - either you sent your dongle to them
  - or they got access to the PC where your dongle is
they know the answer because
- either you told them
- or it's easy to guess (knowing the question), like Holmes for Sherlock,
- or they brute force attacked your site to find it out (note that no protection exists against a brute force attack perpetrated by evil hackers)
- or they listened to your internet traffic (if it doesn't go through a secure connection),
- or they kept recording each and every keystroke of yours
  - this means that the integrity of your digital persona is badly compromised.