Description
Techbox Login Security hardens the WordPress sign-in flow. It protects wp_authenticate() — the standard wp-login.php form and classic WooCommerce My Account / checkout login — with brute-force lockouts, IP access lists, activity logging, and a clear, operator-friendly admin experience.
Enforcement runs on WordPress login hooks (defense in depth at credential time). It is not a pre-WordPress WAF and does not replace edge protection like Cloudflare or a server firewall — it catches the login attempts that reach your site.
Features
- Login attempt limits — configurable max attempts, time-based lockout, failure-decay window, and an escalating long lockout for repeat offenders.
- IP access lists — allow/deny lists; the allow list bypasses limits.
- Proxy-aware client IP — optional, opt-in
X-Forwarded-Fortrust for sites behind a CDN/reverse proxy. - Activity log & dashboard — failed logins, successful sign-ins, lockouts, and an at-a-glance security overview.
- Channel policy — explicit handling for XML-RPC and REST application-password logins.
- Login messaging — customizable error messages and optional pre-lockout attempt feedback (WordPress-default or custom).
- Privacy / GDPR notices — optional login-page and footer notices that link to your privacy policy.
- Lockout email notifications — site-wide lockout-event emails with a test send.
- Custom login URL — optional secret login path with a gate on
wp-login.php. - Login lockdown — temporarily restrict sign-in with role / username / IP bypass.
- Active sessions — view currently signed-in users and end (kick) a session.
- Email verification at login — optional, role-scoped email code at sign-in (off by default). This is a lightweight email verification step, not TOTP/SMS MFA.
Recommended defaults
On a fresh install Techbox Login Security applies a sensible “out of the box” posture so the site is protected immediately: login limits on (5 attempts / 15-minute lockout / 24-hour failure decay, escalating to a 24-hour lockout after repeat strikes), failed logins logged, attempt feedback and the footer privacy notice on. Optional features (custom login URL, lockout emails, email login codes, login lockdown) stay off until you configure them. Every settings section has a Restore recommended action.
Privacy
All storage is local to your site. The activity log includes IP addresses and usernames so you can audit sign-ins; remove or restrict access if your policies require it. This plugin makes no external API calls — login-security enforcement, logging, and all data storage run entirely on your own site, and no data is sent anywhere.
Techbox Login Security Pro
A separate Pro version is available from Techbox Design for sites that need more. It builds on everything here and adds country (geo) blocking, CSV export, username and probe (enumeration) policies, bot login protection, and session ban controls. Pro is optional — this free plugin is fully functional on its own.
Installation
- Upload the plugin to
/wp-content/plugins/techbox-login-security/, or install it from the Plugins screen. - Activate it from the Plugins screen.
- Open Techbox Login Security Settings. Recommended defaults are applied on first activation; review Login security and the Advanced tab to tune limits, lists, and optional features.
FAQ
-
Does this protect WooCommerce logins?
-
Yes. The security engine applies to classic WooCommerce My Account and classic checkout login forms (which use the standard authentication flow), including attempt limits, lockouts, and the optional email login code. Block-based (Store API) checkout is not yet supported for storefront notices. See Techbox Design for current compatibility notes.
-
Is the email login code the same as two-factor authentication (2FA)?
-
It is a lightweight email verification code at login, optional and role-scoped. Full authenticator-app (TOTP) and SMS MFA with backup codes are planned for a later release, not in this version.
-
Will it lock out legitimate users?
-
Login limits are tuned conservatively by default and the IP allow list always wins. If you ever lock yourself out, you can clear limits from the settings screen (or by database/hosting access), and the custom login URL is optional and off by default.
-
Does it require a CDN, external API, or server-level firewall?
-
No. Enforcement runs on WordPress login hooks. It complements, and does not replace, edge/server protection.
-
Can I reset settings to a safe baseline?
-
Yes. Each settings section and tab has a Restore recommended action that re-applies the recommended posture.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Techbox Login Security” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Techbox Login Security” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.11
- Security hardening: annotate the nonce-verified admin email GET reader so static analysis (Plugin Check / PHPCS) recognises the existing nonce check.
1.1.10
- Security: verify WooCommerce and email-2FA login nonces; stop putting test emails in query strings; late-escape admin shell markup/attributes.
- Security: require manage_options for fresh-install defaults and toolbar preference writes; remove EscapeOutput phpcs ignores on admin CTAs/chips.
1.1.9
- Compliance polish: remove dead “not available / entitlement” admin branches; drop orphan locked Pro CSS; rename session ban capability slug for clarity.
1.1.8
- Coding standards: prefix all admin template variables for Plugin Check PrefixAllGlobals compliance.
1.1.7
- Compliance: replace locked-looking Pro field rows in Login messages with plain Pro notes and links.
- Compliance: remove dead upgrade-to-enable row-action branches; soften Advanced / empty-state Pro CTAs.
- Admin: safer boolean attribute escaping in tab panels, nav, and table chrome.
1.1.6
- Activity log: successful sign-ins can be recorded, filtered in Event logs, and counted on the Dashboard.
- Settings: Advanced tab label no longer shows a Pro pill.
1.1.5
- Dashboard: remove locked Pro metric tiles and placeholder panels; show one clear Pro upsell instead.
1.1.4
- Activity log: confirmed no artificial browse or storage cap; pagination default remains 20 (choices 20 / 50 / 100).
1.1.3
- Compliance: fully usable free activity log (browse all stored events, clear log, IP row actions).
- Compliance: unique Techbox_ / techbox_ prefixes; remove stale Pro-gated notice copy.
- Branding: user-facing strings use Techbox Login Security.
1.1.2
- Admin polish: refined settings screens presentations.
1.1.1
- Admin polish: reset-to-defaults now confirms and reports success with the same toast used when saving, instead of a full-page notice.
- Removed a login message field that had no effect in this edition.
1.1.0
First public release.
- Login attempt limits with escalating lockouts.
- IP allow/deny access lists with proxy-aware (opt-in) client IP detection.
- Activity log and security dashboard (failed logins, lockouts, top failing IPs).
- XML-RPC / REST application-password channel policy.
- Customizable login messaging and pre-lockout attempt feedback.
- Optional privacy/GDPR login-page and footer notices.
- Lockout email notifications with a test send.
- Optional custom login URL and login lockdown.
- Active session viewing with the ability to end a session.
- Optional, role-scoped email verification code at login.




