Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.
Before installing this plugin, read the FAQ!
If your WP install is behind a proxy or load balancer, please be aware
that this plugin uses the
REMOTE_ADDR provided by the web server
(as does WordPress' new comment functionality and the Akismet plugin).
If you want our brute force tracking to work, we advise adjusting your
wp-config.php file to manually set the
REMOTE_ADDR to a data
source appropriate for your environment. For example:
$_SERVER['REMOTE_ADDR'] = preg_replace('/^([^,]+).*$/', '\1', $_SERVER['HTTP_X_FORWARDED_FOR']);
Download the Login Security Solution zip file from WordPress' plugin
Unzip the file.
Our existing tests are very effective, catching all of the 2 million entries in the Dazzlepod password list. But if you need to block specific passwords that my tests miss, this plugin offers the ability to provide your own dictionary files.
Add a file to the
pw_dictionaries directory and place those passwords
in it. One password per line.
Please be aware that checking the password files is computationally expensive. The following script runs through each of the password files and weeds out passwords caught by the other tests:
If your website has a large number of non-English-speaking users:
See if a keyboard sequence file exists in this plugin's
pw_sequences directory for your target languages. The following steps
are for left-to-right languages. (For right-to-left languages, flip the
direction of the motions indicated.)
If a translation file for your language does not exist in this
languages directory, add one. Read
details. The files must use UTF-8 encoding. Send me the file and
I'll include it in future releases. See the features request
The last step of the new password validation process is checking if
the password matches an entry in the
dict program. See if
is installed on your server and consider installing it if not.
login-security-solution directory to your
Activate the plugin using WordPress' admin interface:
Adjust the settings as desired. This plugin's settings page can be reached via a sub-menu entry under WordPress' "Settings" menu or this plugin's entry on WordPress' "Plugins" page. Sites using WordPress' multisite network capability will find the "Settings" and "Plugin" menus under "My Sites | Network Admin".
Run the "Change All Passwords" process. This is necessary to ensure all of your users have strong passwords. The user interface for doing so is accessible via a link in this plugin's entry on WordPress' "Plugins" page.
Ensure your password strength by changing it.
A thorough set of unit tests are found in the
The plugin needs to be installed and activated before running the tests.
To execute the tests,
cd into this plugin's directory and
Translations can be tested by changing the
WPLANG value in
Please note that the tests make extensive use of database transactions.
Many tests will be skipped if your
are not using the
InnoDB storage engine.
This plugin offers the ability to remove all of this plugin's settings from your database. Go to WordPress' "Plugins" admin interface and click the "Settings" link for this plugin. In the "Deactivate" entry, click the "Yes, delete the damn data" button and save the form.
Use WordPress' "Plugins" admin interface to click the "Deactivate" link
login-security-solution directory from the server
In the event you didn't pick the "Yes, delete the damn data" option or
you manually deleted the plugin, you can get rid of the settings by running
three queries. These queries are exapmles, using the default table name
wp_. If you have changed your database prefix, adjust the
DROP TABLE wp_login_security_solution_fail; DELETE FROM wp_options WHERE option_name LIKE 'login-security-solution%'; DELETE FROM wp_usermeta WHERE meta_key LIKE 'login-security-solution%';
Requires: 3.3 or higher
Compatible up to: 3.5.1
Last Updated: 2013-4-29
25 of 31 support threads in the last two months have been resolved.
Got something to say? Need help?