The bookmark to login nobody but you. Simple and secure.
I'm going to fix any new bugs you find, but please try the last stable version, maybe it's already fixed.
If you lost your login dongle, you can disable this plugin very easily.
$loginDonglePlugin = new LoginDonglePlugin();by adding // at the beginning.
This emergency procedure will make the default Log In button work again. After logging in, undo what you did above, otherwise this plugin will be marked as Active while being inactive. Then you can deactivate it with the WordPress button or leave it working.
Login Dongle does not touch any element of the standard login functionality (page, fields, buttons, processing ...) of WordPress, so you should be able to run this plugin alongside any other login plugin, like the wonderful Limit Login Attempts plugin. If you find issues, feel free to contact me and I'll have a look.
Theme My Login (at least up to v6.2.2) is not comptible with Login Dongle out of the box. In Login Dongle v1.4.0 I added support for Theme My Login. Unfortunately, you need to add a missing line into the code of that plugin. In fact WP 3.2 introduced the login_init hook (that I use) but Theme My Login lacks it. To fix Theme My Login you'll need to
// allow plugins to override the default actions, and to add extra actions if they want do_action( 'login_form_' . $action );
do_action( 'login_init' );
I would not. Login Dongle is designed to work in conjunction with brute force attacks repellers like Limit Login Attempts and the likes.
What those plugins do is to block access to internet users trying to log in but not being allowed many times in a row. When that occurs, the recorded intruder's IP is used to reject their following login requests during some time, even before matching their credentials against the database.
What Login Dongle does is to cut off the processing of the login form if it does not have a special field (question) or if that field does not contain the special value (answer) stored in the database of your blog, even before running the repeller or any special authentication plugins.
To save your precious resources (CPU time and web availability) when under attack, Login Dongle simply exits with a configurable message, instead of incurring into another page generation cycle.
Yes, because if someone stole your dongle, they are supposed to not know the correct answer, which is only stored in the database. If they guess it, they only gain the right to process the login form on the server, but they still need to guess your unknown (and strong) password. That means that soon they will be locked out by your brute forse attack repeller.
However, if you allow your browser to fill in your credentials automatically, and someone is going to use your unattended PC, you easily realize that in this scenario all security relies on the unguessability of the response. If you think that such a scenario is going to happen some time, you better setup a strong response.
Login Dongle makes a brute force attack impossible without knowing the correct challenge >> response. Anyway, if a brute force attack repeller notifies you of an attack, you only need to edit the Login Dongle section of your Profile. Change both the challenge and response, and you're done. As soon as you save your changes, the attack will immediately stop because Login Dongle will expect the new challenge >> response to be submitted along with the login form.
The chance to get notified of an attack after installing Login Dongle is extremely little. If it occurred it'd mean that both
You can use whatever you like, up to 1000 characters.
You can use whatever you like, up to 20 characters. Even kanji.