A simple, light-weight collection of tools to help protect wp-admin, including password strength requirements and brute-force log-in prevention.
The plugin is only meant to be used with single-site WordPress installations. Some features may still work under multi-site environments, however it would be safer to use some other plugin that is specifically marked WPMU-compatible instead.
If you have accidentally banned yourself, you have a few options: A) wait until the defined time has elapsed; B) log-in from a different network IP (like from a friend's house); C) delete the
apocalypse-meow plugins directory via FTP to force uninstallation of the plugin.
Remember: You can whitelist one or more IP addresses via the settings page to prevent just this sort of thing!
There are three relevant settings to consider:
Here is an example to illustrate the above point: Say the failure limit is 2, we don't reset on success, and the window is 2 hours. If an evildoer messes up the log-in at 10:01, 10:02, and 10:03, the Apocalypse is triggered and lasts until 12:01. If the evildoer were to immediately re-mess up the log-in once more, he/she would again trigger the Apocalypse (failures at 10:02, 10:03, and 12:01), but this time only for one minute, because at 12:02 the 10:02 failure will expire, leaving just 2 failures within the window.
The default values are pretty reasonable, if I do say so myself:
The WordPress permalinks system is kinda finicky. Go to Settings > Permalinks and re-save your configuration.
Of course not! Haha. Apocalypse Meow only records the following information with each log-in attempt:
WordPress themes and plugins are made up of PHP scripts that should only be executed indirectly through the WordPress engine. Of course, some plugins and themes are poorly coded and do not fully exist within the WP framework and so might break if direct PHP execution is disabled. But hey, if things break, simply disable this option. ;)
As of version 1.5.0, it is now possible to specify an alternative $_SERVER variable Apocalypse Meow should use to determine the visitor's "true" IP. It is important to note, however, that depending on how that environmental variable is populated, the value might be forgeable. Nonetheless, this should be better than nothing!
Many plugin options can be set via
wp-config.php, which can be useful for system admins with multiple deployments. Settings defined in
wp-config.php will override anything set on the normal settings page, so this will also help prevent site users from weakening security after-the-fact.
The following options can be added to your site configuration:
//enable login protection, true or false define('MEOW_PROTECT_LOGIN', true); //the number of failed logins allowed define('MEOW_FAIL_LIMIT', 5); //add a nonce to the login page, true or false define('MEOW_LOGIN_NONCE', true); //email user after login from unknown IP, true or false define('MEOW_ALERTS', true); //failed logins expire after X seconds define('MEOW_FAIL_WINDOW', 43200); //reset failure count after successful login, true or false define('MEOW_FAIL_RESET_ON_SUCCESS', true); //log user agent information, true or false define('MEOW_STORE_UA', false); //clean the database periodically, true or false define('MEOW_CLEAN_DATABASE', true); //logs expire after X days define('MEOW_DATA_EXPIRATION', 90); //password must use letters: required, optional, required-both (force upper and lower) define('MEOW_PASSWORD_ALPHA', 'required'); //password must use numbers, required or optional define('MEOW_PASSWORD_NUMERIC', 'required'); //password must use symbols, required or optional define('MEOW_PASSWORD_SYMBOL', 'optional'); //the minimum password length define('MEOW_PASSWORD_LENGTH', 10); //remove "generator" meta tag define('MEOW_REMOVE_GENERATOR_TAG', true); //remove adjacent post meta tags define('MEOW_REMOVE_ADJACENT_POSTS_TAG, true); //disable XML-RPC define('MEOW_DISABLE_XMLRPC', true);
Requires: 3.4 or higher
Compatible up to: 4.4.2
Last Updated: 6 days ago
Active Installs: 2,000+
Got something to say? Need help?