Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.
A simple way to lock down login security for multisite and regular WordPress installations.
Blocks brute force and dictionary attacks without inconveniencing legitimate users or administrators
Thoroughly examines and enforces password strength. Includes full
UTF-8 character set support if PHP's
mbstring extension is enabled.
The tests have caught every password dictionary entry I've tried.
dictdictionary program (if available)
Password aging (optional) (not recommended)
Administrators can require all users to change their passwords
Logs out idle sessions (optional) (idle time is customizable)
Maintenance mode (optional)
Prevents information disclosures from failed logins
display_errorsis on and
For reference, the similar plugins include:
Some plugins provide similar functionality. These overlaps can lead to conflicts during program execution. Please read the FAQ!
Development of this plugin happens on GitHub. Please submit bug and feature requests, pull requests, wiki entries there. Releases are then squashed and pushed to WordPress' Plugins SVN repository. This division is necessary due having being chastised that "the Plugins SVN repository is a release system, not a development system."
Old tickets are in the Plugins Trac.
Yeah, creating, storing/remembering, and using a different, strong password for each site you use is a hassle. But it is absolutely necessary.
Password lists get stolen on a regular basis from big name sites (like Linkedin for example!). Criminals then have unlimited time to decode the passwords. In general, 50% of those passwords are so weak they get figured out in a matter of seconds. Plus there are computers on the Internet dedicated to pounding the sites with login attempts, hoping to get lucky.
Many people use the same password for multiple sites. Once an attacker figures out your password on one site, they'll try it on your accounts at other sites. It gets ugly very fast.
You're probably thinking "There's nothing valuable on my website. No one will bother breaking into it." What you need to realize is that attackers are going after your visitors. They put stealth code on your website that pushes malware into your readers' browsers.
According to SophosLabs more than 30,000 websites are infected every day and 80% of those infected sites are legitimate. Eighty-five percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web. Today, drive-by downloads have become the top web threat.
So if your site does get cracked, not only do you waste hours cleaning up, your reputation gets sullied, security software flags your site as dangerous, and worst of all, you've inadvertently helped infect the computers of your clients and friends. Oh, and if the attack involves malware, that malware has probably gotten itself into your computer.
Requires: 3.3 or higher
Compatible up to: 3.9.1
Last Updated: 2014-5-30
0 of 12 support threads in the last two months have been resolved.
Got something to say? Need help?