A simple way to lock down login security for multisite and regular\nWordPress installations.<\/p>\n\n
Blocks brute force and dictionary attacks without inconveniencing\nlegitimate users or administrators<\/p>\n\n
Thoroughly examines and enforces password strength. Includes full\nUTF-8 character set support if PHP's Blocks discovering user names via the \"?author=\" query string<\/p><\/li>\n Password aging (optional) (not recommended)<\/p>\n\n Administrators can require all users to change their passwords<\/p>\n\n Logs out idle sessions (optional) (idle time is customizable)<\/p><\/li>\n Maintenance mode (optional)<\/p>\n\n Prevents information disclosures from failed logins<\/p><\/li>\n<\/ul>\n\n For reference, the similar plugins include:<\/p>\n\n Some plugins provide similar functionality. These overlaps can lead to\nconflicts during program execution. Please read the FAQ!<\/p>\n\n Development of this plugin happens on\nGitHub<\/a>.\nPlease submit\nbug and feature requests<\/a>,\npull requests<\/a>,\nwiki entries<\/a>\nthere.\nReleases are then squashed and pushed to WordPress'\nPlugins SVN repository<\/a>.\nThis division is necessary due having being chastised that \"the Plugins SVN\nrepository is a release system, not a development system.\"<\/p>\n\n Old tickets are in the Plugins Trac<\/a>.<\/p>\n\n Yeah, creating, storing\/remembering, and using a different<\/strong>, strong<\/strong>\npassword for each site you use is a hassle. But it is absolutely\nnecessary.<\/em><\/p>\n\n Password lists get stolen on a regular basis from big name sites (like\nLinkedin for example!). Criminals then have unlimited time to decode the\npasswords. In general, 50% of those passwords are so weak they get figured\nout in a matter of seconds. Plus there are computers on the Internet\ndedicated to pounding the sites with login attempts, hoping to get lucky.<\/p>\n\n Many people use the same password for multiple sites. Once an attacker\nfigures out your password on one site, they'll try it on your accounts at\nother sites. It gets ugly very fast.<\/p>\n\n But don't despair! There are good, free tools that make doing the right\nthing a piece of cake. For example: KeePassX<\/a>,\nKeePass<\/a>,\nor 1Password<\/a><\/p>\n\n You're probably thinking \"There's nothing valuable on my website. No one\nwill bother breaking into it.\" What you need to realize is that attackers\nare going after your visitors. They put stealth code on your website\nthat pushes malware into your readers' browsers.<\/p>\n\n According to SophosLabs more than 30,000 websites are infected\n every day and 80% of those infected sites are legitimate.\n Eighty-five percent of all malware, including viruses, worms,\n spyware, adware and Trojans, comes from the web. Today,\n drive-by downloads have become the top web threat.<\/p>\n \n -- Security Threat Report 2012<\/em><\/a><\/p>\n<\/blockquote>\n\n So if your site does get cracked, not only do you waste hours cleaning up,\nyour reputation gets sullied, security software flags your site as dangerous,\nand worst of all, you've inadvertently helped infect the computers of your\nclients and friends. Oh, and if the attack involves malware, that malware\nhas probably gotten itself into your computer.<\/p>\n\n The following filters allow customizing email subjects and messages. If\neither the \"subject\"or \"message\" filters in a method returns an empty\nstring, the given method will skip calling A thorough set of unit tests are found in the The plugin needs to be installed and activated before running the tests.<\/p>\n\n To execute the tests, Translations can be tested by changing the Please note that the tests make extensive use of database transactions.\nMany tests will be skipped if your This plugin offers the ability to remove all of this plugin's settings\nfrom your database. Go to WordPress' \"Plugins\" admin interface and\nclick the \"Settings\" link for this plugin. In the \"Deactivate\" entry,\nclick the \"Yes, delete the damn data\" button and save the form.<\/p><\/li>\n Use WordPress' \"Plugins\" admin interface to click the \"Deactivate\" link<\/p><\/li>\n Remove the In the event you didn't pick the \"Yes, delete the damn data\" option or\nyou manually deleted the plugin, you can get rid of the settings by running\nthree queries. These queries are exapmles, using the default table name\nprefix of, Password Research<\/p>\n\n Technical Info<\/p>\n\n Password Lists<\/p>\n\n Before installing this plugin, read the FAQ!<\/p><\/li>\n If your WP install is behind a proxy or load balancer, please be aware\nthat this plugin uses the Download the Login Security Solution zip file from WordPress' plugin\nsite: Unzip the file.<\/p><\/li>\n Our existing tests are very effective, catching all of the 2 million\nentries in the Dazzlepod password list. But if you need to block\nspecific passwords that my tests miss, this plugin offers the ability\nto provide your own dictionary files.<\/p>\n\n Add a file to the Please be aware that checking the password files is computationally\nexpensive. The following script runs through each of the password\nfiles and weeds out passwords caught by the other\ntests:<\/p>\n\n If your website has a large number of non-English-speaking users:<\/p>\n\n See if a keyboard sequence file exists in this plugin's\npw_sequences directory for your target languages. The following steps\nare for left-to-right languages. (For right-to-left languages, flip the\ndirection of the motions indicated.)<\/p>\n\n If a translation file for your language does not exist in this\nplugin's The last step of the new password validation process is checking if\nthe password matches an entry in the Upload the Activate the plugin using WordPress' admin interface:<\/p>\n\n Adjust the settings as desired. This plugin's settings page can be\nreached via a sub-menu entry under WordPress' \"Settings\" menu or this\nplugin's entry on WordPress' \"Plugins\" page. Sites using WordPress'\nmultisite network capability will find the \"Settings\" and \"Plugin\"\nmenus under \"My Sites | Network Admin\".<\/p><\/li>\n Run the \"Change All Passwords\" process. This is necessary to ensure\nall of your users have strong passwords. The user interface for\ndoing so is accessible via a link in this plugin's entry on\nWordPress' \"Plugins\" page.<\/p><\/li>\n Ensure your password strength by changing it.<\/p><\/li>\n<\/ol>\n\n Login Security Solution provides hooks<\/a>\nin critical methods, allowing you to add custom behaviors.<\/p>\n\n\n Before installing this plugin, read the FAQ!<\/p><\/li>\n If your WP install is behind a proxy or load balancer, please be aware\nthat this plugin uses the Download the Login Security Solution zip file from WordPress' plugin\nsite: Unzip the file.<\/p><\/li>\n Our existing tests are very effective, catching all of the 2 million\nentries in the Dazzlepod password list. But if you need to block\nspecific passwords that my tests miss, this plugin offers the ability\nto provide your own dictionary files.<\/p>\n\n Add a file to the Please be aware that checking the password files is computationally\nexpensive. The following script runs through each of the password\nfiles and weeds out passwords caught by the other\ntests:<\/p>\n\n If your website has a large number of non-English-speaking users:<\/p>\n\n See if a keyboard sequence file exists in this plugin's\npw_sequences directory for your target languages. The following steps\nare for left-to-right languages. (For right-to-left languages, flip the\ndirection of the motions indicated.)<\/p>\n\n If a translation file for your language does not exist in this\nplugin's The last step of the new password validation process is checking if\nthe password matches an entry in the Upload the Activate the plugin using WordPress' admin interface:<\/p>\n\n Adjust the settings as desired. This plugin's settings page can be\nreached via a sub-menu entry under WordPress' \"Settings\" menu or this\nplugin's entry on WordPress' \"Plugins\" page. Sites using WordPress'\nmultisite network capability will find the \"Settings\" and \"Plugin\"\nmenus under \"My Sites | Network Admin\".<\/p><\/li>\n Run the \"Change All Passwords\" process. This is necessary to ensure\nall of your users have strong passwords. The user interface for\ndoing so is accessible via a link in this plugin's entry on\nWordPress' \"Plugins\" page.<\/p><\/li>\n Ensure your password strength by changing it.<\/p><\/li>\n<\/ol>\n\n Login Security Solution provides hooks<\/a>\nin critical methods, allowing you to add custom behaviors.<\/p><\/dd>\n The WordPress installation process (currently) defaults to having the\nmain administrator's user's name be \"admin.\" Many people don't change it.\nAttackers know this, so now all they need to do to get into such sites is\nguess the password.<\/p>\n\n In addition, if you try to log in while your site is being attacked, this\nplugin will send you through the password reset process in order to verify\nyour identity. While not the end of the world, it's inconvenient.<\/p><\/dd>\n A link to the page is found in this plugin's entry in the \"Plugins\" admin\ninterface:<\/p>\n\n Let's turn the question around: \"How long did it take to get in those 500\nhits?\" Chances are it took hours. (Six hours if they're attacking with one\nthread, 2 hours if they're coming at you with three threads, etc.) If this\nplugin wasn't working, they'd have pulled it off under a minute. Similarly,\nwithout the slowed responses this plugin provides, an attacker given six\nhours against your site could probably get in over 170,000 hits.<\/p>\n\n Anyway, my real question for you is \"Did they get in?\" I'll bet not. The\nstrong passwords this plugin requires from your users lowers the chances of\nsomeone breaking in to just about zero.<\/p>\n\n And even if they do<\/em> get lucky and figure out a password, Login Security\nSolution realizes they're miscreants and kicks them out.<\/p><\/dd>\n If you look at it the right way, Login Security Solution provides lockouts\n(where \"lockout\" means \"denies access\" to attackers.) Below is a comparison\nof the attack handling logic used by Limit Login Attempts and Login Security\nSolution.<\/p>\n\n Limit Login Attempts<\/strong><\/p>\n\n Invalid or Valid Credentials by Attacker or Actual User<\/em><\/p>\n\n Note, this approach means an actual user can be denied access for 12 hours after making 4 mistakes.<\/p>\n\n Login Security Solution<\/strong><\/p>\n\n Invalid Credentials by Attacker or Actual User<\/em><\/p>\n\n Valid Credentials by Attacker<\/em><\/p>\n\n Valid Credentials by Actual User<\/em><\/p>\n\n So both plugins deny access to attackers. But Login Security Solution has\nthe bonuses of letting legitimate users log in and slowing the attacks down.\nPlus LSS monitors user names, passwords, and IP's for attacks, while all of\nthe other plugins just watch the IP address.<\/p><\/dd>\n Yeah, the DOS potential is there. I mitigated it for the most part by\ndisconnecting the database link (the most precious resource in most\nsituations) before sleeping. But remember, distributed denial of service\nattacks are fairly easy to initiate these days. If someone really wants to\nshut down your site, they'll be able to do it without even touching this\nplugin's login failure process.<\/p><\/dd>\n Development of this plugin happens on\nGitHub<\/a>.\nPlease submit\nbug and feature requests<\/a>,\npull requests<\/a>,\nwiki entries<\/a>\non our GitHub.<\/p><\/dd>\nmbstring<\/code> extension is enabled.\nThe tests have caught every password dictionary entry I've tried.<\/p>\n\n\n
dict<\/code> dictionary\nprogram (if available)<\/li>\n<\/ul><\/li>\n\n
\n
\n
Improvements Over Similar WordPress Plugins<\/h4>\n\n
\n
display_errors<\/code>\nis on and error_reporting<\/code> includes E_NOTICE<\/code><\/li>\n\n
Compatibility with Other Plugins<\/h4>\n\n
Translations<\/h4>\n\n
\n
Source Code, Bugs, and Feature Requests<\/h4>\n\n
Strong, Unique Passwords Are Important<\/h4>\n\n
Securing Your WordPress Site is Important<\/h4>\n\n
\n
Actions<\/h3>\n\n
\n
Filters<\/h3>\n\n
wp_mail()<\/code>.<\/p>\n\n\n
Unit Tests<\/h4>\n\n
tests<\/code> directory.<\/p>\n\ncd<\/code> into this plugin's directory and\ncall phpunit tests<\/code><\/p>\n\nWPLANG<\/code> value in wp-config.php<\/code>.<\/p>\n\nwp_options<\/code> and wp_usermeta<\/code> tables\nare not using the InnoDB<\/code> storage engine.<\/p>\n\nRemoval<\/h4>\n\n
\n
login-security-solution<\/code> directory from the server<\/p><\/li>\n<\/ol>\n\nwp_<\/code>. If you have changed your database prefix, adjust the\nqueries accordingly.<\/p>\n\n DROP TABLE wp_login_security_solution_fail;\n\n DELETE FROM wp_options WHERE option_name LIKE 'login-security-solution%';\n\n DELETE FROM wp_usermeta WHERE meta_key LIKE 'login-security-solution%';= Inspiration and References =\n<\/code><\/pre>\n\n\n
\n
\n
\n
To Do<\/h4>\n\n
\n
fail<\/code> table.<\/li>\n<\/ul>\n\n\n\n
REMOTE_ADDR<\/code> provided by the web server\n(as does WordPress' new comment functionality and the Akismet plugin).\nIf you want our brute force tracking to work, we advise adjusting your\n wp-config.php file to manually set the REMOTE_ADDR<\/code> to a data\nsource appropriate for your environment. For example:<\/p>\n\n $_SERVER['REMOTE_ADDR'] = preg_replace('\/^([^,]+).*$\/', '\\1',\n $_SERVER['HTTP_X_FORWARDED_FOR']);\n<\/code><\/pre><\/li>\nhttps:\/\/wordpress.org\/plugins\/login-security-solution\/<\/code><\/p><\/li>\npw_dictionaries<\/code> directory and place those passwords\nin it. One password per line.<\/p>\n\n php utilities\/reduce-dictionary-files.php\n<\/code><\/pre><\/li>\n\n
\n
pw_sequences<\/code>\ndirectory<\/li>\nlanguages<\/code> directory, add one. Read\nhttp:\/\/codex.wordpress.org\/I18n_for_WordPress_Developers for\ndetails. The files must use UTF-8 encoding. Send me the file and\nI'll include it in future releases. See the features request\nsection, below.<\/p><\/li>\n<\/ul><\/li>\ndict<\/code> program. See if dict<\/code>\nis installed on your server and consider installing it if not.\nhttp:\/\/en.wikipedia.org\/wiki\/Dict<\/p><\/li>\nlogin-security-solution<\/code> directory to your\nserver's \/wp-content\/plugins\/<\/code> directory<\/p><\/li>\n\n
Hooks<\/h4>\n\n
\n
\n
REMOTE_ADDR<\/code> provided by the web server\n(as does WordPress' new comment functionality and the Akismet plugin).\nIf you want our brute force tracking to work, we advise adjusting your\n wp-config.php file to manually set the REMOTE_ADDR<\/code> to a data\nsource appropriate for your environment. For example:<\/p>\n\n $_SERVER['REMOTE_ADDR'] = preg_replace('\/^([^,]+).*$\/', '\\1',\n $_SERVER['HTTP_X_FORWARDED_FOR']);\n<\/code><\/pre><\/li>\nhttps:\/\/wordpress.org\/plugins\/login-security-solution\/<\/code><\/p><\/li>\npw_dictionaries<\/code> directory and place those passwords\nin it. One password per line.<\/p>\n\n php utilities\/reduce-dictionary-files.php\n<\/code><\/pre><\/li>\n\n
\n
pw_sequences<\/code>\ndirectory<\/li>\nlanguages<\/code> directory, add one. Read\nhttp:\/\/codex.wordpress.org\/I18n_for_WordPress_Developers for\ndetails. The files must use UTF-8 encoding. Send me the file and\nI'll include it in future releases. See the features request\nsection, below.<\/p><\/li>\n<\/ul><\/li>\ndict<\/code> program. See if dict<\/code>\nis installed on your server and consider installing it if not.\nhttp:\/\/en.wikipedia.org\/wiki\/Dict<\/p><\/li>\nlogin-security-solution<\/code> directory to your\nserver's \/wp-content\/plugins\/<\/code> directory<\/p><\/li>\n\n
Hooks<\/h4>\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n