Apocalypse Meow provides several tools to help you lock down the wp-admin area:
- Brute-force log-in protection: temporarily disable and replace the log-in form after a specified number of failures are detected.
- Specify minimum password requirements for users to ensure nobody chooses something stupid like “password123”. 🙂
- See a complete history of log-in attempts, successes, and bans.
- Disable the “generator” meta tag, which betrays which version of WordPress you are running (thereby making exploits more easily targetted).
- Disable adjacent post meta tags.
- Disable XML-RPC.
- Restrict WP-REST access.
- Delete readme.html file.
- Rename the default “admin” user.
- Disable the theme/plugin editor.
- One-click reset all user passwords.
- Disable user enumeration attempts.
- Email alert after login from new location.
Due to the advanced nature of some of the plugin features, there are a few additional server requirements beyond what WordPress itself requires:
- WordPress 4.4+
- PHP 5.2+ (HHVM is fine too)
- PHP extensions: bcmath, date, filter, json, pcre
- CREATE and DROP MySQL grants
All plugin settings can be defined via constants in
wp-config.php, which can be useful for system admins with multiple deployments. Options defined this way are set in stone and cannot be changed via the settings page.
More information about these options can be found on the aforementioned settings page.
MEOW_API_ACCESS: (string) “all”, “users”, “none” to allow access to everyone, logged-in users, or nobody respectively
MEOW_CORE_ENUMERATION: (bool) disable user enumeration
MEOW_CORE_ENUMERATION_DIE: (bool) produce an error during an enumeration attempt instead of redirecting to the home page (only applicable if
MEOW_CORE_FILE_EDIT: (bool) disable theme/plugin file editor
MEOW_CORE_XMLRPC: (bool) disable XML-RPC
MEOW_PRUNE_ACTIVE: (bool) automatically remove old records from the database
MEOW_PRUNE_LIMIT: (bool) the length in days to keep data
MEOW_LOGIN_FAIL_LIMIT: (int) number of login failures allowed for a single IP (within window)
MEOW_LOGIN_FAIL_WINDOW: (int) the window, in seconds, to count failures and limit login attempts
MEOW_LOGIN_SUBNET_FAIL_LIMIT: (int) number of login failures allowed for a given IP subnet
MEOW_LOGIN_RESET_ON_SUCCESS: (bool) stop counting past failures once a successful login is achieved
MEOW_LOGIN_NONCE: (bool) add a NONCE field to the login form
MEOW_LOGIN_KEY: (string) the
$_SERVERarray key containing the visitor’s IP address
MEOW_LOGIN_ALERT_ON_NEW: (bool) email the user whenever a login occurs from a new IP
MEOW_LOGIN_ALERT_BY_SUBNET: (bool) email on new login, but by subnet instead of single IP
MEOW_PASSWORD_ALPHA: (string) passwords must contain letters (“optional”, “required”, “required-both” (both as in upper- and lowercase))
MEOW_PASSWORD_NUMERIC: (string) passwords must contain numbers (“optional”, “required”)
MEOW_PASSWORD_SYMBOL: (string) passwords must contain other symbols (“optional”, “required”)
MEOW_PASSWORD_LENGTH: (int) the minimum password length
MEOW_TEMPLATE_GENERATOR_TAG: (bool) remove the generator meta tag
MEOW_TEMPLATE_ADJACENT_POSTS: (bool) remove the previous/next post meta tags
MEOW_TEMPLATE_README: (bool) delete WordPress’
Some robots are so dumb they’ll continue trying to submit credentials even after the login form is replaced, wasting system resources and clogging up the log-in history table. One way to mitigate this is to use a server-side log-monitoring program like Fail2Ban or OSSEC to ban users via the firewall.
Apocalypse Meow produces a 403 error when a banned user requests the login form. Your log-monitoring rule should therefore look for repeated 403 responses to
wp-login.php. Additionally, some robots are unable to follow redirects; if your login form requires SSL, you should also ban repeated 301/302 responses, as some robots don’t know how to follow redirects.
If you have enabled user enumeration protection with the
die() option, requests for
?author=X will produce a 400 response code.
Nothing fancy! You can use the built-in installer on the Plugins page or extract and upload the
apocalypse-meow folder to your plugins directory via FTP.
- Is this plugin compatible with WPMU?
The plugin is only meant to be used with single-site WordPress installations.
- How do I unban a user?
The Login Activity page will show any active bans in the top/right corner. You can click the button corresponding to the victim to remove the ban.
- How do I unban myself?!
If you have accidentally banned yourself, you have a few options:
- Wait until the defined time has elapsed;
- Login from a different IP (tip: use your cellphone (via data, not wifi));
- Ask a friend to login and pardon you;
- Deactivate the plugin by renaming the
apocalypse-meowplugin folder via FTP;
Remember: You can (and should) whitelist any IP addresses that you commonly login from.
- Can I see the passwords people tried when logging in?
Of course not! Haha. Apocalypse Meow is here to solve security problems, not create them. Only usernames and IP addresses are stored.
- Will the brute-force log-in prevention work if my server is behind a proxy?
As of version 1.5.0, it is now possible to specify an alternative
$_SERVERvariable Apocalypse Meow should use to determine the visitor’s “true” IP. It is important to note, however, that depending on how that environmental variable is populated, the value might be forgeable. Nonetheless, this should be better than nothing!
- Multi-Server Setup
Apocalypse Meow tracks login history in the database. If your WordPress site is spread across multiple load-balanced servers, they must share access to a master database, or else tracking will only occur on a per-node basis.
Works perfect and after deleteing this plugin SQL is pure clean. LOVE IT !
Great work DEVS
Nice and useful plugin. Good support.
Contributors & Developers
“Apocalypse Meow” is open source software. The following people have contributed to this plugin.Contributors
- [New] Ability to control access to WP-REST requests.
- [Fix] Extend user enumeration protection to API requests.
- [Fix] pass-by-reference notice.
- [Fix] IPv6 whitelist bug.
- [New] Option to mitigate phishing attempts with
- [New] Additional common password checks.
- [Misc] Admin area improvements.
- [Change] Show number of remaining attempts after login failure.
- [Fix] Failed login attempts not always expiring.
- [Fix] Layering bug that could make the Settings > Save button unclickable.
- [Fix] Address PHP notice.
- [New] The plugin has been completely rewritten from the ground up to provide a cleaner interface, faster performance, and additional features.
- [New] Option to disable XML-RPC.
- [New] Option to remove adjacent post meta tags.
- [New] Support plugin configuration via
- [Change] Common password list has been expanded to around 500 entries.
- [Change] Tweak nonce error display.
- [New] Option to add Nonce field to the login form.
- [New] Email alerts after login from new location.
- [Fix] More robust username retrieval.
- [Fix] Forgot password reset enforces password strength rules.
- [New] Don’t allow Top 25 Most Common passwords ever.
- [Change] Move database cleanup to WP Cron.
- [Misc] Code clean-up.
- [New] Ability to clear unclaimed pardons.
- [New] In honor of Heartbleed, there is now a tool for resetting all user passwords en masse.
- [New] Allow alternate
$_SERVERvariables for proxy installations (thanks
- [Misc] Code clean-up.
- [New] Warn administrators on settings page of potential proxy/intranet-type issues.
- [Fix] Only show
.htaccessoptions on Apache servers.
- [Change] Use
wp_die()for Apocalypse screen.
- [Change] Database maintenance on by default.
- [Misc] File clean-up.
- [Fix] Ensure variables are declared at activation.
- [Fix] Replace deprecated
- [Fix] Replaced a couple functions that are deprecated as of PHP 5.5.0.
- [New] Log-in jail page to view currently banned IPs.
- [New] Ability to temporarily pardon a banned IP.
- [Fix] Log-in history now displayed in viewer’s timezone.
- [Fix] Call-time pass-by-reference warning/error in PHP 5.3+.
- [Change] Fail window unit converted minutes.
- [Misc] More efficient logging of Apocalypse triggers.
- [Misc] Simplified Apocalypse page options.
- [Fix] Database upgrade procedure skipped.
- [Change] Lowered data retention minimum to 10 days.
- [New] Option to manually clear data.
- [Fix] Uninstallation now removes all plugin data/settings.
- [New] Option to disable theme/plugin editor.
- [Change] Prevent installation on WPMU blogs.
- [Fix] Use
getenv()as it is more compatible across server environments.
- [Fix] Minor bug fixes.
- [New] Log-in statistics.
- [Change] Storing UA string with log-in attempt is now optional (default disabled).
- [Misc] Log-in protection settings now hidden if log-in protection is disabled.
- [Misc] Database maintenance settings now hidden if maintenance is disabled.
- [Misc] Use existing WP CSS for log-in history table.
- [Change] Set 403 status header when displaying Apocalypse screen.
- [Misc] Compatibility with WP 3.5.
- [Misc] All queries now run through $wpdb.
- [New] Ability to rename the default WordPress user to something less .predictable.
- [Fix] Minor bug fixes.
- [New] Ability to disable the direct execution of PHP scripts in wp-content/.
- [Change] Re-organized the settings page.
- [New] Customizeable page title and content for the Apocalypse page;
- [New] Apocalypse page display logging.
- [Fix] Improved timestamp handling.
- [Change] Un-embedded kitten graphic for improved support with older browsers.
- [New] Apocalypse Meow is born!