Plugin Directory

Apocalypse Meow

A simple, light-weight collection of tools to help protect wp-admin, including password strength requirements and brute-force log-in prevention.

Is this plugin compatible with WPMU?

The plugin is only meant to be used with single-site WordPress installations. Some features may still work under multi-site environments, however it would be safer to use some other plugin that is specifically marked WPMU-compatible instead.

I have accidentally banned myself, what can I do?

If you have accidentally banned yourself, you have a few options: A) wait until the defined time has elapsed; B) log-in from a different network IP (like from a friend's house); C) delete the apocalypse-meow plugins directory via FTP to force uninstallation of the plugin.

Remember: You can whitelist one or more IP addresses via the settings page to prevent just this sort of thing!

When exactly is the Apocalypse triggered and how long will it last?

There are three relevant settings to consider:

  1. Number of failures allowed - If this number is exceeded within the time period, the Apocalypse is triggered for the offending individual.
  2. Do successful log-in's reset the failure count? - If "yes", the failures counted in #1 must also occur after the most recent successful log-in attempt the offender has made, if any.
  3. The length of time to look at - This could be thought of as the time it takes for a failure to expire from relevance, thus it is only within this window that failures are counted against a person, and if the Apocalypse is triggered, it will last until the oldest of the applicable failures expires. This means the actual length of banishment can vary depending on how spread out the failed log-in attempts are. If the limit is reached in rapid succession, the Apocalypse will last more or less the entirity of the window. If, however, the failures are spaced evenly across the window, the Apocalypse may only last a minute.

Here is an example to illustrate the above point: Say the failure limit is 2, we don't reset on success, and the window is 2 hours. If an evildoer messes up the log-in at 10:01, 10:02, and 10:03, the Apocalypse is triggered and lasts until 12:01. If the evildoer were to immediately re-mess up the log-in once more, he/she would again trigger the Apocalypse (failures at 10:02, 10:03, and 12:01), but this time only for one minute, because at 12:02 the 10:02 failure will expire, leaving just 2 failures within the window.

What are reasonable log-in protection settings?

The default values are pretty reasonable, if I do say so myself:

  1. The failure limit is set to 5 - five failures for fat fingers and forgetfulness should be plenty.
  2. Yes, reset fail count after successful log-in - if you can't trust logged-in users, who can you trust?
  3. The failure window is set to 43200 seconds (12 hours) - this is long enough to make most evildoers give up, while not being so long as to ruin the life of a legitimate user accidentally caught up in it all.

The CSV link doesn't work; I just get a generic "404 Not Found" page.

The WordPress permalinks system is kinda finicky. Go to Settings > Permalinks and re-save your configuration.

Can I see the passwords people tried when logging in?

Of course not! Haha. Apocalypse Meow only records the following information with each log-in attempt:

  1. WP username
  2. IP address
  3. Browser (this is self-reported, so take it with a grain of salt)
  4. Status (e.g. success or failure)

What do the different log-in statuses mean on the Log-in History page?

  • Success: the log-in was successful;
  • Failure: the log-in was a big, fat failure;
  • Apocalypse: the Apocalypse page was displayed instead of the log-in form;

Wait... how do plugins and themes work if direct PHP execution is disabled?!

WordPress themes and plugins are made up of PHP scripts that should only be executed indirectly through the WordPress engine. Of course, some plugins and themes are poorly coded and do not fully exist within the WP framework and so might break if direct PHP execution is disabled. But hey, if things break, simply disable this option. ;)

Will the brute-force log-in prevention work if my server is behind a proxy?

As of version 1.5.0, it is now possible to specify an alternative $_SERVER variable Apocalypse Meow should use to determine the visitor's "true" IP. It is important to note, however, that depending on how that environmental variable is populated, the value might be forgeable. Nonetheless, this should be better than nothing!

wp-config.php setup

Many plugin options can be set via wp-config.php, which can be useful for system admins with multiple deployments. Settings defined in wp-config.php will override anything set on the normal settings page, so this will also help prevent site users from weakening security after-the-fact.

The following options can be added to your site configuration:

//enable login protection, true or false
define('MEOW_PROTECT_LOGIN', true);

//the number of failed logins allowed
define('MEOW_FAIL_LIMIT', 5);

//add a nonce to the login page, true or false
define('MEOW_LOGIN_NONCE', true);

//email user after login from unknown IP, true or false
define('MEOW_ALERTS', true);

//failed logins expire after X seconds
define('MEOW_FAIL_WINDOW', 43200);

//reset failure count after successful login, true or false

//log user agent information, true or false
define('MEOW_STORE_UA', false);

//clean the database periodically, true or false
define('MEOW_CLEAN_DATABASE', true);

//logs expire after X days

//password must use letters: required, optional, required-both (force upper and lower)
define('MEOW_PASSWORD_ALPHA', 'required');

//password must use numbers, required or optional
define('MEOW_PASSWORD_NUMERIC', 'required');

//password must use symbols, required or optional
define('MEOW_PASSWORD_SYMBOL', 'optional');

//the minimum password length

//remove "generator" meta tag

//remove adjacent post meta tags

//disable XML-RPC
define('MEOW_DISABLE_XMLRPC', true);

Requires: 3.4 or higher
Compatible up to: 4.4.2
Last Updated: 6 days ago
Active Installs: 2,000+


5 out of 5 stars


Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

100,1,1 100,1,1 100,2,2 100,2,2 100,1,1
100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,2,2 100,1,1 100,3,3