Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.
The WordPress installation process (currently) defaults to having the main administrator's user's name be "admin." Many people don't change it. Attackers know this, so now all they need to do to get into such sites is guess the password.
In addition, if you try to log in while your site is being attacked, this plugin will send you through the password reset process in order to verify your identity. While not the end of the world, it's inconvenient.
A link to the page is found in this plugin's entry in the "Plugins" admin interface:
Let's turn the question around: "How long did it take to get in those 500 hits?" Chances are it took hours. (Six hours if they're attacking with one thread, 2 hours if they're coming at you with three threads, etc.) If this plugin wasn't working, they'd have pulled it off under a minute. Similarly, without the slowed responses this plugin provides, an attacker given six hours against your site could probably get in over 170,000 hits.
Anyway, my real question for you is "Did they get in?" I'll bet not. The strong passwords this plugin requires from your users lowers the chances of someone breaking in to just about zero.
And even if they do get lucky and figure out a password, Login Security Solution realizes they're miscreants and kicks them out.
If you look at it the right way, Login Security Solution provides lockouts (where "lockout" means "denies access" to attackers.) Below is a comparison of the attack handling logic used by Limit Login Attempts and Login Security Solution.
Limit Login Attempts
Invalid or Valid Credentials by Attacker or Actual User
Note, this approach means an actual user can be denied access for 12 hours after making 4 mistakes.
Login Security Solution
Invalid Credentials by Attacker or Actual User
Valid Credentials by Attacker
Valid Credentials by Actual User
So both plugins deny access to attackers. But Login Security Solution has the bonuses of letting legitimate users log in and slowing the attacks down. Plus LSS monitors user names, passwords, and IP's for attacks, while all of the other plugins just watch the IP address.
Yeah, the DOS potential is there. I mitigated it for the most part by disconnecting the database link (the most precious resource in most situations) before sleeping. But remember, distributed denial of service attacks are fairly easy to initiate these days. If someone really wants to shut down your site, they'll be able to do it without even touching this plugin's login failure process.
.mofiles! They get created as part of the release process.
.pofile. If you have other changes you wish to see made, please do so via separate commits in separate pull requests.
git diffbefore all commits. Ensure only expected changes are being made.
Translation from WordPress. DO NOT TRANSLATE IT IN THIS PLUGIN.When starting a new translation, please take a look at an existing
.pofile to see which strings they are. Those phrases are already translated in WordPress' core. Leaving them untranslated here ensures consistency with the rest of WordPress.
To start a new translation:
cd languages # Adjust "lc" to your language code. # Adjust "CC" to your country code. cp login-security-solution.pot login-security-solution-lc_CC.po # Edit the new login-security-solution-lc_CC.po file.
To update the
makepot utility directory should be in the same directory
login-security-solution directory. If you don't have this
setup, here's what to do:
svn checkout http://i18n.svn.wordpress.org/tools/trunk/ makepot
So, now you'll have:
parent dir |- login-security-solution/ |- makepot/
Then, bringing the
.po files up to date is as easy as:
Finally, to update the
.mo files for testing or release:
Requires: 3.3 or higher
Compatible up to: 4.4.2
Last Updated: 2 weeks ago
Active Installs: 20,000+
4 of 4 support threads in the last two months have been marked resolved.
Got something to say? Need help?