A simple, light-weight collection of tools to help protect wp-admin, including password strength requirements and brute-force log-in prevention.
Due to the advanced nature of some of the plugin features, there are a few additional server requirements beyond what WordPress itself requires:
All plugin settings can be defined via constants in
wp-config.php, which can be useful for system admins with multiple deployments. Options defined this way are set in stone and cannot be changed via the settings page.
More information about these options can be found on the aforementioned settings page.
MEOW_API_ACCESS: (string) "all", "users", "none" to allow access to everyone, logged-in users, or nobody respectively
MEOW_CORE_ENUMERATION: (bool) disable user enumeration
MEOW_CORE_ENUMERATION_DIE: (bool) produce an error during an enumeration attempt instead of redirecting to the home page (only applicable if
MEOW_CORE_FILE_EDIT: (bool) disable theme/plugin file editor
MEOW_CORE_XMLRPC: (bool) disable XML-RPC
MEOW_PRUNE_ACTIVE: (bool) automatically remove old records from the database
MEOW_PRUNE_LIMIT: (bool) the length in days to keep data
MEOW_LOGIN_FAIL_LIMIT: (int) number of login failures allowed for a single IP (within window)
MEOW_LOGIN_FAIL_WINDOW: (int) the window, in seconds, to count failures and limit login attempts
MEOW_LOGIN_SUBNET_FAIL_LIMIT: (int) number of login failures allowed for a given IP subnet
MEOW_LOGIN_RESET_ON_SUCCESS: (bool) stop counting past failures once a successful login is achieved
MEOW_LOGIN_NONCE: (bool) add a NONCE field to the login form
MEOW_LOGIN_KEY: (string) the
$_SERVERarray key containing the visitor's IP address
MEOW_LOGIN_ALERT_ON_NEW: (bool) email the user whenever a login occurs from a new IP
MEOW_LOGIN_ALERT_BY_SUBNET: (bool) email on new login, but by subnet instead of single IP
MEOW_PASSWORD_ALPHA: (string) passwords must contain letters ("optional", "required", "required-both" (both as in upper- and lowercase))
MEOW_PASSWORD_NUMERIC: (string) passwords must contain numbers ("optional", "required")
MEOW_PASSWORD_SYMBOL: (string) passwords must contain other symbols ("optional", "required")
MEOW_PASSWORD_LENGTH: (int) the minimum password length
MEOW_TEMPLATE_GENERATOR_TAG: (bool) remove the generator meta tag
MEOW_TEMPLATE_ADJACENT_POSTS: (bool) remove the previous/next post meta tags
MEOW_TEMPLATE_README: (bool) delete WordPress'
Some robots are so dumb they'll continue trying to submit credentials even after the login form is replaced, wasting system resources and clogging up the log-in history table. One way to mitigate this is to use a server-side log-monitoring program like Fail2Ban or OSSEC to ban users via the firewall.
Apocalypse Meow produces a 403 error when a banned user requests the login form. Your log-monitoring rule should therefore look for repeated 403 responses to
wp-login.php. Additionally, some robots are unable to follow redirects; if your login form requires SSL, you should also ban repeated 301/302 responses, as some robots don't know how to follow redirects.
If you have enabled user enumeration protection with the
die() option, requests for
?author=X will produce a 400 response code.
Requires: 4.4 or higher
Compatible up to: 4.7.1
Last Updated: 2 weeks ago
Active Installs: 2,000+
1 of 1 support threads in the last two months have been marked resolved.
Got something to say? Need help?