Plugin Directory

Apocalypse Meow

A simple, light-weight collection of tools to help protect wp-admin, including password strength requirements and brute-force log-in prevention.


Due to the advanced nature of some of the plugin features, there are a few additional server requirements beyond what WordPress itself requires:

  • WordPress 4.4+
  • PHP 5.2+ (HHVM is fine too)
  • PHP extensions: bcmath, date, filter, json, pcre
  • CREATE and DROP MySQL grants


All plugin settings can be defined via constants in wp-config.php, which can be useful for system admins with multiple deployments. Options defined this way are set in stone and cannot be changed via the settings page.

More information about these options can be found on the aforementioned settings page.

Core settings:

  • MEOW_CORE_ENUMERATION: (bool) disable user enumeration
  • MEOW_CORE_ENUMERATION_DIE: (bool) produce an error during an enumeration attempt instead of redirecting to the home page (only applicable if MEOW_CORE_ENUMERATION is true)
  • MEOW_CORE_FILE_EDIT: (bool) disable theme/plugin file editor
  • MEOW_CORE_XMLRPC: (bool) disable XML-RPC

Data Pruning:

  • MEOW_PRUNE_ACTIVE: (bool) automatically remove old records from the database
  • MEOW_PRUNE_LIMIT: (bool) the length in days to keep data

Login settings:

  • MEOW_LOGIN_FAIL_LIMIT: (int) number of login failures allowed for a single IP (within window)
  • MEOW_LOGIN_FAIL_WINDOW: (int) the window, in seconds, to count failures and limit login attempts
  • MEOW_LOGIN_SUBNET_FAIL_LIMIT: (int) number of login failures allowed for a given IP subnet
  • MEOW_LOGIN_RESET_ON_SUCCESS: (bool) stop counting past failures once a successful login is achieved
  • MEOW_LOGIN_NONCE: (bool) add a NONCE field to the login form
  • MEOW_LOGIN_KEY: (string) the $_SERVER array key containing the visitor's IP address
  • MEOW_LOGIN_ALERT_ON_NEW: (bool) email the user whenever a login occurs from a new IP
  • MEOW_LOGIN_ALERT_BY_SUBNET: (bool) email on new login, but by subnet instead of single IP

Password settings:

  • MEOW_PASSWORD_ALPHA: (string) passwords must contain letters ("optional", "required", "required-both" (both as in upper- and lowercase))
  • MEOW_PASSWORD_NUMERIC: (string) passwords must contain numbers ("optional", "required")
  • MEOW_PASSWORD_SYMBOL: (string) passwords must contain other symbols ("optional", "required")
  • MEOW_PASSWORD_LENGTH: (int) the minimum password length

Template settings:

  • MEOW_TEMPLATE_GENERATOR_TAG: (bool) remove the generator meta tag
  • MEOW_TEMPLATE_ADJACENT_POSTS: (bool) remove the previous/next post meta tags
  • MEOW_TEMPLATE_README: (bool) delete WordPress' readme.html file

Log Monitoring

Some robots are so dumb they'll continue trying to submit credentials even after the login form is replaced, wasting system resources and clogging up the log-in history table. One way to mitigate this is to use a server-side log-monitoring program like Fail2Ban or OSSEC to ban users via the firewall.

Apocalypse Meow produces a 403 error when a banned user requests the login form. Your log-monitoring rule should therefore look for repeated 403 responses to wp-login.php. Additionally, some robots are unable to follow redirects; if your login form requires SSL, you should also ban repeated 301/302 responses, as some robots don't know how to follow redirects.

If you have enabled user enumeration protection with the die() option, requests for ?author=X will produce a 400 response code.

Requires: 4.4 or higher
Compatible up to: 4.6.1
Last Updated: 1 month ago
Active Installs: 2,000+


5 out of 5 stars


2 of 3 support threads in the last two months have been marked resolved.

Got something to say? Need help?


Not enough data

1 person says it works.
0 people say it's broken.

100,1,1 100,1,1 100,2,2 100,2,2 100,1,1
100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,2,2 100,1,1 100,3,3