WordPress.org

Ready to get started?Download WordPress

Plugin Directory

Login Security Solution

Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.

0.44.0 (2014-05-30)

  • Handle mysqli usage
  • Indicate that setting "Match Time" to 0 disables slowdowns, notifications, and breach confirmations.
  • If "Match Time" is 0, return empty values rather than running queries.

0.43.0 (2014-01-16)

  • By popular demand, notification emails now include the full IP address.

0.42.0 (2013-07-06)

  • Have Maintenence Mode messaging say who turned it on and how to turn it off.
  • Added pw_sequence for German T1 keyboard layout. (cfoellmann)

0.41.0 (2013-06-26)

  • Fix "authenticate filter not called" when auth process lacks a user name.

0.40.0 (2013-06-22)

  • Track the age of verified IP's and use that to prevent users being locked out by "attacks" from one's own IP address.
  • Unit tests pass using PHP 5.3.27-dev, 5.4.17-dev, 5.5.0-dev
  • Tested under WordPress 3.4.2, 3.5.2 and 3.6beta4 using regular and multisite.

0.39.0 (2013-05-29)

  • Enforce password history during password reset process.

0.38.0 (2013-05-27)

  • Mention that the password force change process does not touch the admin that presses the button.
  • Remove HTML special characters when using WP's blogname setting.
  • Unit tests pass using PHP 5.3.27-dev, 5.4.17-dev, 5.5.0-dev
  • Tested under WordPress 3.5.1 and 3.6beta3 using regular and multisite.

0.37.0 (2013-04-29)

  • Monitor login attempts from XML-RPC requests.
  • Fix "te ernstig te" in the Dutch translation (thanks fwieringen@github).

0.36.0 (2013-04-13)

  • Have the password reset page say why a password isn't strong enough.
  • Add Dutch translation.

0.35.0 (2013-02-22)

  • Don't track cookie failures if name or hash is empty.
  • Add German translation.
  • Update French translation.
  • Documentation improvements.

0.34.0 (2012-10-21)

  • Have login_errors filter check $wp_error also, not just $errors.
  • Skip exec() calls if safe_mode is on.
  • Unit tests pass using WordPress 3.5 RC2 under PHP 5.4.5-dev and 5.3.19-dev.

0.33.0 (2012-10-18)

  • Add text to failure alerts saying the attacker will be denied access.
  • Have failure alerts say there won't be further emails.

0.32.0 (2012-10-04)

  • SIGNIFICANT CHANGE: Reduce the number of emails sent to administrators: add the "Multiple Failure Notifications" setting and make the default "No."
  • Remove the (superfluous) "If it WAS YOU..." part of the user notification emails.
  • Use wp_cache_flush() in unit tests, wp_cache_reset() deprecated in 3.5.
  • Unit tests pass using PHP 5.4.5-dev, 5.3.16-dev.
  • Tested under WordPress 3.4.2 and 3.5beta1 using regular and multisite.

0.31.0 (2012-09-25)

  • Have breach notification emails detail the exact situation depending on the system's settings.

0.30.0 (2012-09-17)

  • Translate "Confirm" and "No thanks" phrases on the settings screen.
  • Adjust readme to indicate that development has moved to GitHub.

0.29.0 (2012-09-17)

  • Adjust formatting of the CREATE TABLE statement in activate() to prevent WordPress' dbDelta() from creating duplicate keys each time the plugin is activated.

0.28.1 (2012-09-15)

  • Update .mo translation files.

0.28.0 (2012-09-15)

  • Remove loophole: slow down successful logins as well (for non-verified IP addresses). Keeps attackers from using timeouts to skip our delayed responses to failed login attempts.
  • Reduce false positives for breach notifications and password resets:
    • Allow users through without incident if the user's Network IP failure count is less than the "Breach Email Confirm" setting. The old behavior was to do so only if the Network IP failure count was 0.
    • Add user's current IP to their verified IP list whenever they save their profile page, not just when they change their password.
    • Fix when user notifications are sent. Do so if the IP address is NOT verified instead of if the IP address IS verified. Duh.
    • Don't notify administrators of a successful login if the user is coming in from a verified IP address.
    • Change subject line of user notification emails to differentiate them from emails sent to admins.
    • Reword user notification email and have it explain how to reduce future hassles.
  • Remove URIs from user notification email to avoid phishing imitations.
  • Add pt_BR translation. Thanks to Valdir Trombini.
  • Put plugin version number in admin notification emails.
  • Update the fr_FR translation: update password policy, add settings page.
  • Put Unicode flag on the two preg calls that didn't have it. Fixes password parsing problem on Windows.
  • Add date to log() messages.
  • Unit tests pass using PHP 5.4.5-dev, 5.3.16-dev, and 5.2.18-dev.
  • Tested under WordPress 3.4.2 using regular and multisite.
  • Also tested on Windows 7 using WordPress 3.4.1 and PHP 5.4.5 with mbstring enabled and disabled.

0.27.0 (2012-09-04)

  • Remove the password policy explanation link added in 0.26.0.

0.26.0 (2012-09-01)

  • Put a link in the password policy to an explanation of why it's necessary.

0.25.0 (2012-08-30)

  • Load text domain for password policy on password reset page.
  • Have password policy mention that it can't contain words related to the user or the website.

0.24.0 (2012-08-29)

  • Keep the password strength indicator from being enabled.
  • Narrow down when the password policy text filter is enabled.

0.23.0 (2012-08-24)

  • Split user and site info into components before comparing them.
  • Increase minimum password length to 10 characters.

0.22.0 (2012-08-17)

  • Track a given IP, user name, password combination only once.
  • Prevent "not a valid MySQL-Link resource" on auth cookie failure.
  • Increase default value of login_fail_notify from 20 to 50.
  • Add partial French translation. Settings page needs doing. Thanks mermouy!

0.21.0 (2012-08-07)

  • Fix is_pw_outside_ascii() to permit spaces.
  • In multisite mode, send notifications to network admin, not blog admin.
  • Add "Notifications To" setting for admins to specify the email addresses the failure and breach notifications get sent to. (Request #1560)
  • Clarify that the Change All Passwords link just goes to the UI.
  • Get all unit tests to pass when mbstring isn't enabled.
  • Internationalize the unit tests.
  • Rename admin.inc to admin.php.
  • Rename temporary files holding actual test results. (Bug #1552 redux)
  • Unit tests pass using PHP 5.4.5-dev, 5.3.16-dev, and 5.2.18-dev.
  • Tested under WordPress 3.4.1 using regular and multisite.
  • Also tested on Windows 7 using PHP 5.4.5 and WordPress 3.4.1.

0.20.2 (2012-07-12)

  • Ugh, update the translation pot file.

0.20.1 (2012-07-12)

  • Add "numbers" to the password policy text.

0.20.0 (2012-07-12)

  • Replace WP's password policy text with our own.

0.19.0 (2012-07-11)

  • Remove inadvertent log call added in 0.17.0.

0.18.0 (2012-07-11)

  • Keep legit user from having to repeatedly reset pw during active attacks against their user name.

0.17.0 (2012-07-09)

  • Fix network IP query in get_login_fail(). (Bug #1553, deanmarktaylor)
  • Rename files holding expected test results. (Bug #1552, deanmarktaylor)

0.16.0 (2012-07-08)

  • Have shell script gracefully handle value already being the desired value.

0.15.0 (2012-07-06)

  • Log auth cookie failures too.
  • Clean up sleep logic. (Bug #1549, deanmarktaylor)

0.14.0 (2012-07-05)

  • Fix emails being mistakenly sent in multisite mode that say "There have been at least 0 failed attempts to log in". (Bug #1548, deanmarktaylor)
  • Add an .htaccess file that blocks access to this plugin's directory.

0.13.0 (2012-07-01)

  • Add a script for turning our "Disable Logins" feature on and off from the command line.

0.12.0 (2012-06-30)

  • Display a notice on top of admin pages when our maintenance mode is enabled.

0.11.0 (2012-06-28)

  • Use POST value for $user_name in login_errors() because global value isn't always set.
  • Add some more (commented out) log() calls to help users help me help them.

0.10.0 (2012-06-16)

  • Catch $user_ID not being set during "Change All Passwords" submission.
  • Add (commented out) log() calls in important spots. Enables users to help me help them.

0.9.0 (2012-06-16)

  • Fix change that prevented users from logging in after using the password reset process with an insecure password. Users can now pick a better password right on the spot.
  • Regenerate translation POT file.
  • Tested under WordPress 3.3.2 and 3.4RC3, both using regular and multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.8.0 (2012-04-29)

  • Fix logging user out a second time after WordPress expires cookies.
  • It turns out this plugin requires WordPress 3.3, not 3.0.
  • Tested under WordPress 3.3.2 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.7.0 (2012-04-25)

  • The "lost your password" process now validates passwords.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.6.1 (2012-04-19)

  • Minor wording adjustments.

0.6.0 (2012-04-18)

  • Use ENT_QUOTES instead of ENT_COMPAT in htmlspecialchars() calls because WordPress mixes and matches the double and single quotes to delimit attributes.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.5.0 (2012-04-18)

  • Have multisite network mode use the saved options instead of the defaults.
  • Close more HTML injection vectors. (One would think WordPress' built in functions would already do this. Alas...)
  • Get the success/error messages to work when saving settings via the Network Admin page.
  • Improve unit tests by ensuring the fail table uses InnoDB.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.4.0 (2012-04-17)

  • Add multisite network support.
  • Keep unit tests from deleting settings. Note: removes the ability to run the unit tests without activating the plugin.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.3.0 (2012-04-04)

  • Use UTF-8 encoding for htmlspecialchars() instead of DB_CHARSET.
  • Tested under WordPress 3.3.1.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.2.1 (2012-04-03)

  • Ensure all files are in the state I intended. Needed because WordPress' plugin site automatically rolls releases.

0.2.0 (2012-04-03)

  • Utilize the $encoding parameter of htmlspecialchars() to avoid problems under PHP 5.4.
  • Tested under WordPress 3.3.1.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.1.0 (2012-03-26)

  • Beta release.

0.0.4 (2012-03-22)

  • Initial import to plugins.svn.wordpress.org.

0.0.3

  • Fix mix ups in the code saving the "Change All Passwords" admin UI.
  • Adjust IdleTest so it doesn't radically change wp_users auto increment.
  • Tested under WordPress 3.3.1.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.0.2

  • Use Unicode character properties to improve portability.
  • Stop tests short if not in a WordPress install.
  • Skip dict test if dict not available.
  • Skip database tests if transactions are not available.
  • Tested under WordPress 3.3.1.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.

0.0.1 (2012-03-19)

  • Post the code for public review.
  • Tested under WordPress 3.3.1.

Requires: 3.3 or higher
Compatible up to: 3.9.1
Last Updated: 2014-5-30
Downloads: 111,378

Ratings

4 stars
4.6 out of 5 stars

Support

0 of 11 support threads in the last two months have been resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

1 person says it works.
0 people say it's broken.

0,1,0
100,1,1
100,1,1 100,1,1 100,1,1 100,2,2
100,1,1 80,5,4 100,1,1
100,3,3 100,1,1 100,1,1 100,2,2
100,1,1 100,1,1 100,1,1 100,1,1 100,2,2 100,2,2 100,1,1 100,5,5 100,2,2 100,2,2 100,4,4 100,1,1 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
0,1,0 100,1,1 100,1,1 100,3,3 100,1,1 100,2,2 100,1,1 100,7,7
100,4,4
60,5,3 83,6,5 100,5,5 100,1,1 100,6,6
100,1,1 100,1,1 100,3,3
100,6,6
100,1,1 100,1,1
75,4,3
100,1,1 100,1,1