WordPress.org

Plugin Directory

Login Security Solution

Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.

  1. Before installing this plugin, read the FAQ!

  2. If your WP install is behind a proxy or load balancer, please be aware that this plugin uses the REMOTE_ADDR provided by the web server (as does WordPress' new comment functionality and the Akismet plugin). If you want our brute force tracking to work, we advise adjusting your wp-config.php file to manually set the REMOTE_ADDR to a data source appropriate for your environment. For example:

        $_SERVER['REMOTE_ADDR'] = preg_replace('/^([^,]+).*$/', '\1',
            $_SERVER['HTTP_X_FORWARDED_FOR']);
    
  3. Download the Login Security Solution zip file from WordPress' plugin site: https://wordpress.org/plugins/login-security-solution/

  4. Unzip the file.

  5. Our existing tests are very effective, catching all of the 2 million entries in the Dazzlepod password list. But if you need to block specific passwords that my tests miss, this plugin offers the ability to provide your own dictionary files.

    Add a file to the pw_dictionaries directory and place those passwords in it. One password per line.

    Please be aware that checking the password files is computationally expensive. The following script runs through each of the password files and weeds out passwords caught by the other tests:

        php utilities/reduce-dictionary-files.php
    
  6. If your website has a large number of non-English-speaking users:

    • See if a keyboard sequence file exists in this plugin's pw_sequences directory for your target languages. The following steps are for left-to-right languages. (For right-to-left languages, flip the direction of the motions indicated.)

      • Open a text editor and create a file in the pw_sequences directory
      • Hold down the shift key
      • Press the top left character key of the keyboard. NOTE: during this entire process, do not press function, control or whitespace keys (like tab, enter, delete, arrows, space, etc).
      • Work your way across the top row, pressing each key across the row, one by one
      • Press the left-most character key in the second row
      • Go across the second row pressing each key
      • Continue through the entire keyboard in the same manner
      • Let go of the shift key
      • Re-start the process at the top left key of the keyboard and work your way through the keyboard, now in lower-case mode
      • Save the file and close the editor
      • Feel free to submit the files to me so others can use it. See the features request section, below.
    • If a translation file for your language does not exist in this plugin's languages directory, add one. Read http://codex.wordpress.org/I18n_for_WordPress_Developers for details. The files must use UTF-8 encoding. Send me the file and I'll include it in future releases. See the features request section, below.

  7. The last step of the new password validation process is checking if the password matches an entry in the dict program. See if dict is installed on your server and consider installing it if not. http://en.wikipedia.org/wiki/Dict

  8. Upload the login-security-solution directory to your server's /wp-content/plugins/ directory

  9. Activate the plugin using WordPress' admin interface:

    • Regular sites: Plugins
    • Sites using multisite networks: My Sites | Network Admin | Plugins
  10. Adjust the settings as desired. This plugin's settings page can be reached via a sub-menu entry under WordPress' "Settings" menu or this plugin's entry on WordPress' "Plugins" page. Sites using WordPress' multisite network capability will find the "Settings" and "Plugin" menus under "My Sites | Network Admin".

  11. Run the "Change All Passwords" process. This is necessary to ensure all of your users have strong passwords. The user interface for doing so is accessible via a link in this plugin's entry on WordPress' "Plugins" page.

  12. Ensure your password strength by changing it.

Hooks

Login Security Solution provides hooks in critical methods, allowing you to add custom behaviors.

Requires: 3.3 or higher
Compatible up to: 4.2.2
Last Updated: 2015-5-25
Active Installs: 20,000+

Ratings

4.3 out of 5 stars

Support

8 of 9 support threads in the last two months have been resolved.

Got something to say? Need help?

Compatibility

+
=
Not enough data

1 person says it works.
0 people say it's broken.

0,1,0
100,1,1
100,1,1 100,1,1 100,1,1 100,2,2
100,1,1 80,5,4 100,1,1
100,3,3 100,1,1 100,1,1 100,2,2
100,1,1 100,1,1 100,1,1 100,1,1 100,2,2 100,2,2 100,1,1 100,5,5 100,2,2 100,2,2 100,4,4 100,1,1 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
0,1,0 100,1,1 100,1,1 100,3,3 100,1,1 100,2,2 100,1,1 100,7,7
100,4,4
60,5,3 83,6,5 100,5,5 100,1,1 100,6,6
100,1,1 100,1,1 100,3,3
100,6,6
100,1,1 100,1,1
75,4,3
100,1,1 100,1,1 100,1,1
100,1,1
100,1,1 100,1,1 100,1,1 100,2,2
100,3,3
100,1,1 100,2,2
100,1,1 100,1,1
0,2,0 100,1,1