WordPress.org

Ready to get started?Download WordPress

Plugin Directory

Login Security Solution

Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.

Compatibility with Other Plugins

  • Better WP Security: Their "Enable Login Limits" and "Enable strong password enforcement" functionality conflict with our features. The good news is we provide more robust protection in those areas and the Better WP Security "Settings" page lets you disable those features in their plugin. This way you get to enjoy even better security than either plugin alone.

Why should I pick a user name other than "admin"?

The WordPress installation process (currently) defaults to having the main administrator's user's name be "admin." Many people don't change it. Attackers know this, so now all they need to do to get into such sites is guess the password.

In addition, if you try to log in while your site is being attacked, this plugin will send you through the password reset process in order to verify your identity. While not the end of the world, it's inconvenient.

Where did the "Change All Passwords" interface go?

A link to the page is found in this plugin's entry in the "Plugins" admin interface:

  • Regular sites: Plugins
  • Sites using multisite networks: My Sites | Network Admin | Plugins

I just got hit with 500 failed logins! Why isn't this plugin working?!?

Let's turn the question around: "How long did it take to get in those 500 hits?" Chances are it took hours. (Six hours if they're attacking with one thread, 2 hours if they're coming at you with three threads, etc.) If this plugin wasn't working, they'd have pulled it off under a minute. Similarly, without the slowed responses this plugin provides, an attacker given six hours against your site could probably get in over 170,000 hits.

Anyway, my real question for you is "Did they get in?" I'll bet not. The strong passwords this plugin requires from your users lowers the chances of someone breaking in to just about zero.

And even if they do get lucky and figure out a password, Login Security Solution realizes they're miscreants and kicks them out.

Will you provide lock outs / blocks in addition to slow downs?

If you look at it the right way, Login Security Solution provides lockouts (where "lockout" means "denies access" to attackers.) Below is a comparison of the attack handling logic used by Limit Login Attempts and Login Security Solution.

Limit Login Attempts

  • Invalid or Valid Credentials by Attacker or Actual User

    1. Process authentication request (check IP address)
    2. Error message: "Too many failed login attempts." (ACCESS DENIED.)

Note, this approach means an actual user can be denied access for 12 hours after making 4 mistakes.

Login Security Solution

  • Invalid Credentials by Attacker or Actual User

    1. Process authentication request (check IP, user name, and password)
    2. Slow down the response
    3. Error message: "Incorrect username or password." (ACCESS DENIED.)
  • Valid Credentials by Attacker

    1. Process authentication request (check IP, user name, and password)
    2. Slow down the response
    3. Set force password change flag for user
    4. Error message: "Your password must be reset. Please submit this form to reset it." (ACCESS DENIED.)
  • Valid Credentials by Actual User

    1. Process authentication request (check IP, user name, and password)
    2. (If user is coming from their verified IP address, let them in, END)
    3. Slow down the response
    4. Error message: "Your password must be reset. Please submit this form to reset it." (ACCESS DENIED.)
    5. On subsequent request... user verifies their identity via password reset process
    6. User's IP address is added to their verified IP list for future reference

So both plugins deny access to attackers. But Login Security Solution has the bonuses of letting legitimate users log in and slowing the attacks down. Plus LSS monitors user names, passwords, and IP's for attacks, while all of the other plugins just watch the IP address.

Won't the slowdowns open my website to Denial of Service (DOS) attacks?

Yeah, the DOS potential is there. I mitigated it for the most part by disconnecting the database link (the most precious resource in most situations) before sleeping. But remember, distributed denial of service attacks are fairly easy to initiate these days. If someone really wants to shut down your site, they'll be able to do it without even touching this plugin's login failure process.

Where should I report bugs and feature requests?

Development of this plugin happens on GitHub. Please submit bug and feature requests, pull requests, wiki entries on our GitHub.

Information for Translators

  1. Do not commit the .mo files! They get created as part of the release process.
  2. Translation commits and pull requests should only touch the .po file. If you have other changes you wish to see made, please do so via separate commits in separate pull requests.
  3. When translating a new feature, please make that one commit. If other parts of the translation need updating, please make them in a separate commit.
  4. Please don't change formatting inside the .po file
  5. Run git diff before all commits. Ensure only expected changes are being made.
  6. Do not translate items that have a comment above them saying Translation from WordPress. Those phrases are already translated in Wordporess' core. Leaving them untranslated here ensures consistency with the rest of WordPress.
  7. To start a new translation:

    cd languages
    
    # Adjust "lc" to your language code.
    # Adjust "CC" to your country code.
    cp login-security-solution.pot login-security-solution-lc_CC.po
    
    # Edit the new login-security-solution-lc_CC.po file.
    

Translation Information for Developers

  • To update the .pot file:

    1. WordPress' makepot utility directory should be in the same directory as the login-security-solution directory. If you don't have this setup, here's what to do:

    2. cd login-security-solution/languages

    3. ./makepot.sh
  • Then, bringing the .po files up to date is as easy as:

    1. ./updatepos.sh
  • Finally, to update the .mo files for testing or release:

    1. ./makemos.sh

Requires: 3.3 or higher
Compatible up to: 3.9.1
Last Updated: 2014-5-30
Downloads: 111,365

Ratings

4 stars
4.6 out of 5 stars

Support

0 of 11 support threads in the last two months have been resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

1 person says it works.
0 people say it's broken.

0,1,0
100,1,1
100,1,1 100,1,1 100,1,1 100,2,2
100,1,1 80,5,4 100,1,1
100,3,3 100,1,1 100,1,1 100,2,2
100,1,1 100,1,1 100,1,1 100,1,1 100,2,2 100,2,2 100,1,1 100,5,5 100,2,2 100,2,2 100,4,4 100,1,1 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
0,1,0 100,1,1 100,1,1 100,3,3 100,1,1 100,2,2 100,1,1 100,7,7
100,4,4
60,5,3 83,6,5 100,5,5 100,1,1 100,6,6
100,1,1 100,1,1 100,3,3
100,6,6
100,1,1 100,1,1
75,4,3
100,1,1 100,1,1