If you use WordPress, you are aware of the need for good security. We understand the importance of strong passwords, and keeping our WordPress version, plugins and themes up-to-date. And if you have read posts or ebooks on security, there are tons of other efforts we can make to keep our sites even more secure. And lastly, a lot of the managed hosting sites out there offer additional security as well.
I just want to introduce you to the Limit Login Attempts plugin. It is an easy-to-use plugin adding a nice layer for the protection of your site.
So instead of recreating the wheel, here is the description taken from WordPress.org.
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Limit the number of retry attempts when logging in (for each IP). Fully customizable
Limit the number of attempts to log in using auth cookies in same way
Informs user about remaining retries or lockout time on login page
Optional logging, optional email notification
Handles server behind reverse proxy
It is possible to whitelist IPs using a filter. But you probably shouldn’t. 🙂
So basically, when someone tries to login to your site guessing your username and password, this is what they will see.
The setup of the plugin is pretty straight-forward, and you could safely leave the default settings in.
One thing you will notice is the last setting: Notify on lockout. Now I have both of these checked, which may be overkill for you. So I get email notification as well as this log below.
The interesting thing you will note from this is the attempt of logins using the username “admin”. And as I’ve preached many times, do not use the default admin username. You can see why now. But also, interestingly enough, there were some other ones used, “manager”, “office” etc. And finally you will see one where they tried “bobwp”. So this also is a good reason to have a strong username, huh?
Finally, remember that this plugin is not discerning. In other words, even though this is your own site, it can lock you out if you screw up on your logins. And if that happens, well, you will have to wait for the time you have in your settings “minutes lockout”. Otherwise, as noted on the plugins page:
I locked myself out testing this thing, what do I do?
Either wait, or:
If you know how to edit / add to PHP files you can use the IP whitelist functionality described above. You should then use the “Restore Lockouts” button on the plugin settings page and remove the whitelist function again.
If you have ftp / ssh access to the site rename the file “wp-content/plugins/limit-login-attempts/limit-login-attempts.php” to deactivate the plugin.
If you have access to the database (for example through phpMyAdmin) you can clear the limit_login_lockouts option in the wordpress options table. In a default setup this would work: “UPDATE wp_options SET option_value = ” WHERE option_name = ‘limit_login_lockouts'”
Better to be careful instead of locking yourself out obviously.
You can search and upload this plugin through your dashboard, or find more information about it here.