To help stop brute force cracking or password cracking attempts on your WordPress blog there is a WordPress security plugin that helps called “Limit Login Attempts.”
This plugin limits the number of login attempts through your wp-login.php page and through auth cookies and blocks the IP
Without limiting your WordPress login attempts you are opening the door for malicious hackers to spend their time guessing your username and password.
Limit Login Attempts plugin allows to protect your login process
- Set how many login tries they get before being locked out.
- Adjust how long they get locked out for future attempts.
- Get email notifications sent to you if an IP is blocked.
Here's a screen shot of my Limit Login Attempts Options:
What I haven't found out about this plugin yet is if you have the ability to “unlock” an IP. I have posted on the forum and hope to have an answer soon.
You can find out more information and/or download the Limit Login Attempts plugin here.
One thing I do not like about this plugin is that it does not mask the “Login Errors.” It actually shows how many login “attempts” they have left and how long they are locked out for.
My suggestion is that you always hide the login errors. You can do so by adding the following code to your theme's function.php file:
// Remove Login Error Message on wp-login.php
add_filter(‘login_errors',create_function(‘$a', “return null;”));
I'd like to thank my friend Chris Cobb for recommending this WordPress security plugin. I'm still testing the waters, but it looks good so far.
Prior to installing the Limit Login Attempts plugin, I have been using Login Lockdown and it has worked great. However, as far as I know it does not block by auth cookies so I thought I'd give Limit Login Attempts a try.
Leave Your Feedback
Have you tried the Limit Login Attempts plugin? If so, what do you like or don't like about it? Are you able to unblock/unlock IPs manually from the dashboard? Or do you use the Login Lockdown plugin or have another one to suggest to help protect the login process on your WordPress blog? Leave your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
I’ve been using this plugin for quite a while now, and am happy with how it works…except when I forget my password and am not at home to look it up. Doh!
Hi Miserere,
I hear you on locking yourself out. It’s always best to have one other person you trust have an admin account so they can unlock you and/or reset your password for you if needed.
A good way to manage your passwords when you’re away or at home is to use LastPass.
Downloaded and installed. Will take it for a test drive. Thanks for the info and the hyperlink.
Hi Robert,
You’re welcome. Let me know how you like it compared to Login Lockdown.
http://www.seomoz.com has a helpful toolbar if you do SEO.
Thanks for the link. This looks like a stand-alone version vs. using a WP plugin. Have you tried it and had success with SEO? I have also been checking out the SEOPressor and Scribe SEO plugins. Any experience with either of those?
Note: I noticed that the wassup plugin is throwing some errors preg_match on the seopressor site in the footer.
Hello Regina,
I have been a long time follower now, posted a couple times over here, and used your PDF download as my guide. I’m just wondering if you’re suggesting this now over login lockdown? Hence the reason for my post. Sorry, I have nothing to contribute about the plugin you reviewed. I’ve never used it 🙂
Hi Jim,
Thanks for your comment and question.
I’ve been an avid user of Login Lockdown for almost 2 years and have always highly recommended it. Michael VanDeMar (the developer) at Bad Neighboorhood has some nice tools and I appreciate his work.
Right now I’m testing the waters on the Limit Login Attempts plugin for 3 main reasons. 1) They have a recent update that been tested with 3.1. 2) You can view their change log at wordpress.org, 3) It blocks malicious login attempts by way of cookies as well as the normal process.
I am successfully using Login Lockdown on several WP 3.1 website and so far I have not had any problems. But I’m always looking for improvements in security as technology changes and hackers get smarter.
Right now, if you’re happy with Login Lockdown I suggest you keep it. You know what they say, if it’s not broke don’t fix it.
I will update this post as time goes on to see if there are any concerns with this plugin.
Thanks for the reply Regina. On a somewhat humorous note, I know that login lockdown still works with the latest available dashboard update for WordPress because of last night. My older brother was wondering about WordPress and whether that would be a solution for one of his clients. To make a long story short, I gave him login and password details over the phone for one of my present WordPress updated sites. First he had two typos, then it turned out I gave him the wrong password. Low and behold, he was IP locked out for 60 minutes and I had to clear the lock before he could try again, and eventually get in for a look around. Kinda funny the events around your post, but I definitely know it still works 🙂
Oh trials and errors of giving login details over the phone. Been there done that. Caused a few gray hairs for me. LOL
Login Lockdown is working on several 3.1 sites and still works fine. I just wish they’d be a little more proactive in testing and updating the compatibility on their plugin page. Normally, I shy away from plugins that haven’t been updated in a long time. It makes me think they have “stopped” caring.
The thing with that becomes this…does it need an update? Sometimes, I am sure that just because something in wordpress updates, it doesn’t mean that a plugin needs an update if the wordpress updates changed nothing about the plugin functionality. I wouldn’t say lack of updates mean they don’t care, especially if the plugin still works. Now, if wordpress updates, the plugin no longer works, and then they don’t update, that’s another matter 🙂
Has anyone used this with BulletProof plugin?
Any issues if you have?
Hi Roy,
So far I have heard no reports of any conflicts with the BulletProof plugin. If you hear of any let us know.
Note: Make sure you have the latest version of BulletProof, there was a security vulnerability found and it has been resolved in their latest update. You can check their changelog here.
Goosh that looks so much like the Login Lockdown plugin. , which does allow you to unlock IPs., but I will look into this one too.
@ Roy, I have BulletProof plugin on a test blog and so far no issues
Thanks Regina
Hi Kathy,
Thanks for your comment. Yes it looks very similar. Let me know if you find any issues or like it better.
I have been using Bad Behaviour plugin. Often It used to lock myself from accessing my admin.
I will give a try to the plugin you suggested.
Thanks Regina.
Hi Babaji,
I use the Bad Behavior plugin too. So far I have not had any issues with locking myself out by my IP. If you’re able to use this plugin from your home or office and you’re going to be traveling you may want to temporarily deactivate the plugin before you go and then reactivate it when you get back to avoid getting locked out.
Of you can have a secondary administrator that you can contact to temporarily disable the plugin if you find you’ve been locked out from your location.
Bad Behavior is different than Limit Login Attempts as it helps block link spam and the robots that deliver it. Use this in conjunction with a Honey Pot from http://projecthoneypot.org/. It works great in blocking blacklisted IP addresses from accessing your website. Be sure to enter in your http:BL Access Key inside your Bad Behavior options.
Thanks for your comment 🙂
Thanks Regina & Jim.
And thanks for the information that
Bad Behaviour Plugin is for blocking link spam than login attempts.
When I get myself locked down,
I switch off my modem,
clear cache and re-start the system to access wp-login.
Mine is not a Static IP.
Bad behaviour doesn’t even allows to view wp-login or wp-admin page,
So having another administrator account would make no difference I guess.
As adviced by you, Now i’m using Limit Login Attempt Plugin.
Thank you.
Strange, I have bad behavior plus login lockdown without any issues. Matter of fact I have all of them in Regina’s PDF download for joining her email list on this site, and again, no issues.
Hey Jim,
Thanks for your comment 🙂
I’ve only seen 2 people that had issues with not being able to access their own website with Bad Behavior activated. They were both at a location that the IP address was on the “naughty list” and were locked out.
One was in Canada and she had a Internet provider that didn’t give a hoot. I told her to get a dedicated IP. The other was traveling in Europe and found two locations that were blocked. So I deactivated the plugin until she was in a different IP range.
Jim,
Forgot to mention that I just installed the Twitterlink Comments plugin and saw your Twitter link. I will follow you as soon as I can. Right now I’m at my quota 🙁 <<< I wish Twitter would fix that.
No worries, yer busy =)
Yes. If there are any active lockouts they can be unblocked on the plugin option page.
Hey Regina!
Going to give the Limit Login a try…I am currently using Bad Behavior, WP Scanner and Ultimate Security. Have had no issues so far…someone launched a “dictionary attack” recently but all attempts were blocked by Bad Behavior plus thanks to you Regina…my user name cannot be found in any dictionary and also due to your past great advice …my password is made up of 20 letters, characters, upper, lower…plus the kitchen sink! LOL…Also I really enjoyed the teleseminar with MaryJo last night…looking forward to the next one. Thanks again for everything.
Thank you for the info. I will yest it out immediately.
Also thanks for the advise to Miserere. I used to lock myself out of my car all the time, so can relate! ; }
Hi all,
Login lockdown is only one piece of the security puzzle. This can be added to by hiding the login page entirely and through the use of various other techniques. If you don’t mind a plug please try out my version of this technique as well as other in the Better WP Security plugin (http://wordpress.org/extend/plugins/better-wp-security/). Any feedback to help improve it would be greatly appreciated.
I do not have any sort of security plugin, and am looking into getting one. I recently had someone get into my site and register themselves as a user. I was lucky enough to be on my computer when it happened, so I deleted them right away and changed my password. No harm done this time, but it made me ready to tighten my security. I will try this new Plug-in.
Just curious, what type of password were you using (dont give out the password) but interested in knowing if you used common words etc. Not asking to bash you are anything, hopefully it will help others and give a insite.
If you do not want to say fully understand.
Hello, I just installed this plugin and change the default settings like the screenshot above.
But I still get the error message “Current setting appears to be invalid. Please make sure it is correct.”
Can u help me to solve it? Thanks for the article btw…
Thanks for this. I’ve been getting hammered with hits on wp-login and am tired of manually blocking IPs.
Hi Regina Smola,
Thanks for your recommendation, I have tried this plugin and found useful. I have applied this plugin on my WordPress blog.
Hi,
I’ve tired the solution but it partially works.
It does remove the errors but still keeps the error container which has a red border.
I’ve added some jQuery code to remove the error container if it doesn’t have tags in it.
https://gist.github.com/lordspace/5175010
Slavi,
http://orbisius.com
You can use css to not display the red box, but as long as the errors are not displaying you are all good 🙂
Regina,
Since there seems to be a brute force attack happening now, do you have any further advice than what Hostgator suggests in this post: http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/ .
I’m very intimidated by the instructions here: http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack How long would it take to do all that?! We have over 100 sites that we manage.
Thankfully, our passwords are all relatively strong and we have the Limit Login plugin installed, thanks to you.
Hi Karen,
I would suggest you install the Better WP Security plugin which has a plethora of security settings to help protect your site. You can even use the brute force/login protection built in and you can reduce the number of other security plugins you are running.