WordPress.org

1. Before installing this plugin, read the FAQ!

2. If your WP install is behind a proxy or load balancer, please be aware that this plugin uses the REMOTE_ADDR provided by the web server (as does WordPress' new comment functionality and the Akismet plugin). If you want our brute force tracking to work, we advise adjusting your wp-config.php file to manually set the REMOTE_ADDR to a data source appropriate for your environment. For example:

       $_SERVER['REMOTE_ADDR'] = preg_replace('/^([^,]+).*$/', '\1',
           $_SERVER['HTTP_X_FORWARDED_FOR']);
   

3. Download the Login Security Solution zip file from WordPress' plugin site: http://wordpress.org/extend/plugins/login-security-solution/

4. Unzip the file.

5. Our existing tests are very effective, catching all of the 2 million entries in the Dazzlepod password list. But if you need to block specific passwords that my tests miss, this plugin offers the ability to provide your own dictionary files.

   Add a file to the pw_dictionaries directory and place those passwords in it. One password per line.

   Please be aware that checking the password files is computationally expensive. The following script runs through each of the password files and weeds out passwords caught by the other tests:

       php utilities/reduce-dictionary-files.php
   

6. If your website has a large number of non-English-speaking users:

   • See if a keyboard sequence file exists in this plugin's pw_sequences directory for your target languages. The following steps are for left-to-right languages. (For right-to-left languages, flip the direction of the motions indicated.)

     • Open a text editor and create a file in the pw_sequences directory
     • Hold down the shift key
     • Press the top left character key of the keyboard. NOTE: during this entire process, do not press function, control or whitespace keys (like tab, enter, delete, arrows, space, etc).
     • Work your way across the top row, pressing each key across the row, one by one
     • Press the left-most character key in the second row
     • Go across the second row pressing each key
     • Continue through the entire keyboard in the same manner
     • Let go of the shift key
     • Re-start the process at the top left key of the keyboard and work your way through the keyboard, now in lower-case mode
     • Save the file and close the editor
     • Feel free to submit the files to me so others can use it. See the features request section, below.

   • If a translation file for your language does not exist in this plugin's languages directory, add one. Read http://codex.wordpress.org/I18n_for_WordPress_Developers for details. The files must use UTF-8 encoding. Send me the file and I'll include it in future releases. See the features request section, below.

7. The last step of the new password validation process is checking if the password matches an entry in the dict program. See if dict is installed on your server and consider installing it if not. http://en.wikipedia.org/wiki/Dict

8. Upload the login-security-solution directory to your server's /wp-content/plugins/ directory

9. Activate the plugin using WordPress' admin interface:

   • Regular sites: Plugins
   • Sites using multisite networks: My Sites | Network Admin | Plugins

10. Adjust the settings as desired. This plugin's settings page can be reached via a sub-menu entry under WordPress' "Settings" menu or this plugin's entry on WordPress' "Plugins" page. Sites using WordPress' multisite network capability will find the "Settings" and "Plugin" menus under "My Sites | Network Admin".

11. Run the "Change All Passwords" process. This is necessary to ensure all of your users have strong passwords. The user interface for doing so is accessible via a link in this plugin's entry on WordPress' "Plugins" page.

12. Ensure your password strength by changing it.

Unit Tests

A thorough set of unit tests are found in the tests directory.

The plugin needs to be installed and activated before running the tests.

To execute the tests, cd into this plugin's directory and call phpunit tests

Translations can be tested by changing the WPLANG value in wp-config.php.

Please note that the tests make extensive use of database transactions. Many tests will be skipped if your wp_options and wp_usermeta tables are not using the InnoDB storage engine.

Removal

1. This plugin offers the ability to remove all of this plugin's settings from your database. Go to WordPress' "Plugins" admin interface and click the "Settings" link for this plugin. In the "Deactivate" entry, click the "Yes, delete the damn data" button and save the form.

2. Use WordPress' "Plugins" admin interface to click the "Deactivate" link

3. Remove the login-security-solution directory from the server

In the event you didn't pick the "Yes, delete the damn data" option or you manually deleted the plugin, you can get rid of the settings by running three queries. These queries are exapmles, using the default table name prefix of, wp_. If you have changed your database prefix, adjust the queries accordingly.

    DROP TABLE wp_login_security_solution_fail;

    DELETE FROM wp_options WHERE option_name LIKE 'login-security-solution%';

    DELETE FROM wp_usermeta WHERE meta_key LIKE 'login-security-solution%';