Suggestion User Login Security

  • Resolved josephmiddleton

    (@josephmiddleton)


    11 years, 3 months ago

    Greetings,

    I am sure your already lined up with suggestions from the ground to your neck, and I am glad you accept suggestions. In phpbb as a security measure, which I like, a user can have it set up in their user panel that when they immediately log-in an email is sent to them with date and time of their log-in with the ip address. This was and still is a great mod for phpbb. I use a plugin as well called wp-united and this is how I noticed the lack of this security feature and 0 plugins that offer it which once again is a security feature for not only us as admin’s but also for the user themselves.

    It almost sounds like it could be something that your mod could handle and would fit the bill still in your plug-ins theme as security. Allowing the registered user to partake in their own security of their information as well. The Phpbb Mod is called Alert for Login and I only offer it to show a bit more of what I am talking about.

    Hope you may take interest in what I at least find valuable in phpbb and the lack of here in wordpress.

    Joseph

    http://wordpress.org/extend/plugins/wp-login-alerts/

Viewing 1 replies (of 1 total)
  • Plugin Author DigiP

    (@digip)

    11 years, 3 months ago

    Not quite sure what you are getting at, but have you used my Plug-In in WordPress? It already gives you timestamps of when a login attempt takes place in the body of the email. Maybe I misunderstood your question or request.

    My plug-in, has no admin panel settings. It is a strictly passive plug-in, that monitors the login attempts to the site, and alerts the owner of the site, or whomever is set for the email address under the Dashboard > Settings > General section. If someone reaches the login page, it sends an email with the subject of which WordPress site was reached (if you have more than one, this is useful to know which of your sites is trying to be accessed) and you can see when the page is reached. If an attacker then tries to login, it then sends another email, and in the subject line, this time, tells you the name they tried logging in with for which site. The body of the email tells you the attackers IP address, Referral, Timestamp, and Username tried.

    This is strictly a passive security alert plug-in, with no options, and is only meant to alert the admin of the site, of such login attempts. If say, you get 30 emails in a row for a login attempt, that was not you, or for a name that does not exist on your site, such as admin(which I don’t have on ANY of my WordPress sites), you then know to investigate and check if its a brute force attack, and if so, should block the persons IP address from reaching your site. If it was for a name that DOES exist, you should email the user, and ask them if they are trying to login, because any user who forgets their password, can use the password reset feature to let themselves back in. If the login attempts continued, its most likely an automated brute force attack.

    To send an email to subscribers or other users of the site, every time they login, would be kind of spammy in my opinion. Only the admin needs to know when someone logs in, and should be the one to monitor the use of their WordPress based site.

Viewing 1 replies (of 1 total)
  • The topic ‘Suggestion User Login Security’ is closed to new replies.