Beskrivning
Out of the box, WordPress allows unlimited attempts to log in. This opens up opportunities for attackers to crack passwords simply by trying over and over again. This kind of attack is called brute-force, and Protect Login mitigates this by slowing down the login after a series of subsequent failed attempts.
But we did not stop there. We’re also working on ways to improve the security of your WordPress passwords. Currently, we do this by allowing you to enforce a password policy to make sure your users don’t use weak passwords for their accounts.
Installation
- Upload the plugin files to the
/wp-content/plugins/protect-logindirectory, or install the plugin through the WordPress plugins screen directly. - Activate the plugin through the ’Plugins’ screen in WordPress.
- The default settings will be applied automatically. To change them, navigate to Settings > Protect Login
Vanliga frågor
-
Who are you folks?
-
We’re Thomas and Simon, two WordPress enthusiasts, with the dearing crazy idea to offer a good plugin without asking for your money or attention.
Our initial work on Protect Login was sponsored by group.one.
-
Why did you build this plugin?
-
We care about WordPress and keeping WordPress sites secure. So we decided it was time to take the code of the original Limit Login Attempts plugin and build on top of it.
We did this for you. Protect Login is 100% free and will not bother you with nasty upsells or scare marketing. You have better things to do, don’t you? -
Why not reset failed attempts on a successful login?
-
This is very much by design. Otherwise, you could simply brute force the ”admin” password by logging in as your own user every 4th attempt.
-
How do I know if my site is behind a reverse proxy?
-
If you’re not sure about this, chances are your site is not behind a reverse proxy. However, Protect Login’s settings offer an option to activate proxy mode.
A reverse proxy is a server between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated. -
Can I put my IP on an allowlist to avoid getting locked out?
-
Yes, there is an allowlist tab in Protect Login’s settings.
-
I locked myself out while testing this plugin; what do I do?
-
Either wait until your account/IP is unblocked, or if you have FTP or SSH access to the site, rename it ”wp-content/plugins/protect-login” to deactivate the plugin.
-
Do you support IPv6 addresses?
-
Yes, if the webserver passes an IPv6 address to your WordPress installation, the plugin has no problems to handle IPv6 from 1.2.0.
Recensioner
Bidragsgivare och utvecklare
”Protect Login” är programvara med öppen källkod. Följande personer har bidragit till detta tillägg.
Bidragande personer
”Protect Login” har översatts till 1 språk. Tack till översättarna för deras bidrag.
Översätt ”Protect Login” till ditt språk.
Intresserad av programutveckling?
Läs programkoden, kika på SVN-filförvaret eller prenumerera på utvecklarloggen via RSS.
Ändringslogg
1.4.7
- Bugfix: Fixed Bug in at-a-glance widget
1.4.6
- Migration path of password strength rules
- Tested with WordPress 6.8
- Improvement: Added description texts to blocklist, allowlist and blocked-addresses list
- Improvement: Added Copy-to-Clipboard for Remote API settings
- Improvement: One-Click auto-generate for Remote API key
1.4.5
- Bugfix: Error message ”Invalid credentials” was displayed, when wp-login.php ist called directly or hidden by renaming of Admin Login URL
1.4.4
- Bugfix: Fixed issue an invalid login was recognize on logging out from WP
- Bugfix: Fixes issue error message always was ”too many failed login attempts” even when it was the first trial
1.4.3
- Bugfix: Fixed button ”Add IP address to allowlist and release”
- Bugfix: Fixed displaying setting in ”At a glance widget”
1.4.2
- Removed ”Your IP address” on blocklist tab
- Added headlines on allowlist, blocklist and blocked ip addresses
- Removed .github dir
1.4.1
- Bugfix: Fixed issue that prevented ”Add own ip address to allowlist” from working
- Auto re-create WP sessions on activating plugin
- Bugfix: Fixed issue on creating session cookie on multisite
1.4.0
- Automatically clean up the locked-out list a week after IP addresses have been cleared
- Improve the design of empty IP lists
- Add own IP v6 / IPv6 – Address to allowlist
- Check for blocked IP on XML-RPC
- Bugfix: Fixed issues that prevented the plugin from discovering that it runs on a multisite
- Bugfix: Compatibility fixes to PHP 7.4
- Bugfix: Removed ending slashes from Rest API namespaces
1.3.1
- Bugfix: Improved error handling if non-numeric value is stored in wp_options
- Cleanup: Removed leading whitespace in translation file for widget
- Bugfix: Settings visible on multisite if name of the plugin directory is not ”protect-login”
- Bugfix: An error occurred on WP multisites with enabled WP_DEBUG, because of too early load of translation files
- Moved ”settings” sections to admin_init – action
- WP 6.7 compatibility
1.3.0
- Count of currently locked-out address visible in ”At a glance” Widget
- Fixed bug on activation plugin through wp-cli in a multisite environment
- Remote API support
- Improved multisite support
1.2.0
- IPv6 support
- Endpoints for WP-CLI
- Added filter for password strength
- ”Settings” link in plugin overview
- Bugfix: string ”password too short” erroneous appeared in Quick Draft widget, removed.
1.1.1
- Removed unused strings
- Added translator comments
- Restructured some strings for easier translations
1.1.0
- Tested with WordPress 6.6
- Added Multisite Support
- Added filters to set protection levels programmatically
- Fixed issue with timestamps always using UTC
1.0.1
- Fixed minor bugs
1.0
- Initial version
- based on Limit Login Attempts 1.7.1 by Johan Eenfeldt