Login LockDown is a Wordpress plugin for protecting against password guessing. Login LockDown plugin for WordPress Description of how Login LockDown works
Hello, dear readers of the blog site! Topic of today's article: protecting your WordPress blog from hacking by selecting a password to enter the admin panel. This method is called . This problem is very relevant, since cases of unauthorized access to the holy of holies of a blog, namely the WordPress control panel, are, unfortunately, not at all rare.
In general, the topic of WordPress security is very broad and is not limited only to and, which I have already written about earlier. Much sadder consequences (I don’t even want to imagine) can occur if attackers gain access to the blog admin area. Our task is to do everything possible to prevent this from happening. And today I will tell you only about one of the ways to strengthen the protection of your blog. Meet the WordPress Security Plugin Login LockDown.
Protecting your WordPress admin from hacking using the Login LockDown plugin
The easiest way to hack a site is to guess the username and password to enter the control panel. It must be said that many bloggers themselves make the hacker’s job 50% easier by leaving the default login. And then all he has to do is find the password.
Have you changed your username or do you still have the name admin? If not, do so immediately. My article ““ may help you with this.
Be sure, immediately after installing the engine, change the password to a more secure one (make it about 20 characters, using upper and lower case letters, numbers and special characters). This can be done directly from the admin panel by going to the “Users” - “Your profile” menu. Enter the new password twice and save the changes by clicking the “ button Update profile“. Change your password periodically and do not use it on other sites.
With such simple actions we will already complicate the task of hackers. But let’s say they turned out to be stubborn and don’t give up trying, using special programs to guess the password. And here the security plugin for WordPress Login LockDown comes to our aid.
How the Login LockDown plugin works
The plugin records the exact time and IP address from which an unsuccessful attempt was made to log into the blog admin area. When a certain number of unsuccessful attempts are made over a certain period of time, the plugin blocks access to the site for a specified time. The message is displayed:
“Error: Sorry, but this IP range has been blocked due to too many failed login attempts. Please try again later."
In addition, you will have a list of all blocked IP addresses and the ability to unblock them in the plugin settings. Let's take a closer look at them.
Installing and configuring the Login LockDown security plugin
Install and activate the plugin. I described the installation of this plugin in detail, as an example, in the article ““. Therefore, without further ado, let’s get straight to the settings.
Go to the menu “Options” – “Login LockDown”.
The figure shows the default settings. You can change them as you wish. Below I will describe what each of the points means and give my comments:
- 1. Max Login Retrieves– the maximum number of attempts to log into the blog admin panel. I think it makes no sense to put more than three.
- 2. Retry Time Period Restriction (minutes)– time period in minutes for retry. Five minutes is enough to even run to the Canadian border, let alone enter the password.
- 3. Lockout Length (minutes)– time in minutes for which access to the WordPress admin area is blocked. You can leave it for 60 minutes, or you can set it longer.
- 4. Lockout Invalid Usernames– should incorrect login input be taken into account? We mark this item and the plugin, in addition to the password, will also take into account the incorrectly spelled name. Extra protection for your blog is never too much.
- 5. Mask Login Errors– masking errors when entering incorrect data. We mark it, and then the attacker will not know that his actions are under control (he didn’t notice any difference).
- 6. Currently Locked Out– a list of currently blocked IP addresses and the time until unblocking is displayed here. More on this below.
After making the settings for the Login LockDown security plugin, click the “Update Settings“ button for the changes to take effect.
For clarity, I will decipher what will happen when you try to hack a blog if the settings are, for example, default, as in the figure above. If the password is entered incorrectly more than 3 times with an interval of 5 minutes, access to the admin panel will be blocked for 60 minutes.
Now let's go back to the list of IP addresses. I don’t know when this might be needed, but you have the opportunity to unblock an IP address that has fallen out of favor. To do this, check this item and click “Release Selected“. This probably makes sense if not only you have access to the blog. For example, several authors or a freelancer must correct something.
One more detail. If you noticed, in the first screenshot you can see that under the login form in the admin panel a warning is displayed about protection by the Login LockDown plugin. It should appear if you installed the plugin correctly and it is working. But in this case, the meaning of paragraph 5 is lost, because the attacker will be warned about the protection in advance. Let's remove this inscription.
Go to the menu “Plugins” - “Editor”. Select our security plugin from the drop-down list at the top right and click “Select”. We find it in the file login-lockdown/loginlockdown.php this line (see picture below) and delete everything between the quotes. Click “Update file” and go to the login page. The inscription should disappear.
Please note the warning on the editing page. Before making changes, deactivate the plugin and then enable it again. I hope there is no need to remind you that before any editing of files, you need to make copies of them.
Now WordPress Login LockDown security plugin will not allow an attacker to gain access to the admin panel by guessing the password. Of course, this does not guarantee 100% protection for WordPress from hacking and other troubles. But each type of blog defense will build a wall in front of the enemy brick by brick. The higher this wall is, the more peacefully you will sleep at night.
It is important to remember that you need to pay no less attention to blog security issues than to writing unique content and promoting it in search engines. In future articles I will return to this topic more than once. Subscribe to blog updates to always stay up to date. See you soon!
Good day, dear readers of the blog site, today I have prepared an article in which you will learn how to protect your blog using the Login LockDown plugin, which is part of the group.
Helps protect a blog or website on CMS WordPress from hacking attempts by selecting a password to enter the blog’s administrative panel. For WordPress it is a must!
Also, in order to complicate the attempts of attackers to hack a blog or website by brute-forcing passwords (by the way, this hacking method is also called a brute force attack), you need to create a strong long password (about 20 characters) to log into the blog admin area.
In order to change the password in the left part of the administrative panel, hover the mouse cursor over the tab « Users" ---->> "Your profile" . Enter the new password twice and save it by clicking on the button "Update profile" .
It will be much more difficult for an attacker to hack a site with a brute force attack if he has a complex, long password.
But what to do if attempts to hack the site do not stop, and how else can you secure the admin area of your blog or site from hacking?
How the plugin works
The principle of operation is as follows: Login LockDown records the exact time of the hacking attempt, as well as the IP address from which the attacker attempted to log into the blog admin area.
If within a certain period of time a set number of unsuccessful login attempts are made (you set it yourself in the plugin) to the blog’s administrative panel, the plugin will display the following message:
“Error: Sorry, but this IP range has been blocked due to too many failed login attempts. Please try again later."
In addition, you will be provided with a list of IP addresses from which unsuccessful hacking attempts were made; you can also unblock them in the settings.
Setting up and installing Login LockDown
So, download Login LockDown right here.
Now let's go directly to the settings:
To do this, click on the left side "Options" --->>"Login LockDown" .
The screenshot shows an example of standard settings, I will tell you what each setting item means, and you can change them at your discretion.
Don't forget to click on " Update Settings" so that the changed data is saved.
Now let's look at what happens if the password is entered incorrectly if the settings are set to default. If the password is entered more than three times (entry interval is 5 minutes), then access to the administrative panel for this IP address will be blocked for 60 minutes.
How to remove the Login LockDown security warning under the blog admin login form?
Of course, the developer worked hard, created a plugin, and his work should at least somehow be rewarded, but by leaving this inscription, we thereby warn the attacker that the blog is protected by the Login LockDown plugin, and this should not happen.
To do this, go to the left side of the administrative panel to “Plugins --->>Editor” , then find the Login LockDown plugin and click the button "Choose".
We find it in the file login-lockdown/loginlockdown.php the line indicated in the screenshot below and delete everything between the quotes. After this, the inscription will disappear.
Before editing, do not forget to disable the plugin, and also make a copy of this file, just in case.
And that’s all for me, I hope this article was useful to you. In any case, now you know another way to protect your blog.
P.S.
Best regards, Alexander Sergienko
Today WordPress is the most popular content management system. And it’s clear why: ease of use and configuration, many plugins, free. But at the same time there is a lot of attention from attackers. Sites on Wordptess very often become a target for attacks. The reasons for website hacking are different, or rather the reason is the same - money, the approaches are different. One of the ways to hack a site, including on WordPress, is brute force or in Russian - the brute force method - this is when they try to gain access to the site by guessing the username and password.
All WordPress users know that the login to the site’s admin panel is located at site.com/wp-login.php or site.com/wp-admin, from which you will still be redirected to the first one. Attackers know this too. Therefore, if you are irresponsible about protecting the admin panel, then the likelihood of your site being hacked increases significantly. How can you prevent those who don’t need to get into the admin panel?
The first, and most trivial, but no less important, is choosing a strong password and changing the standard login.
The second is installing special plugins to protect the admin panel.
Third, setting up rkdirects and editing WordPress files manually.
And also, now most hosting sites, for their part, offer admin panel protection.
In this article I want to talk about the Login Lockdown plugin, which will help protect the administrative panel of your WordPress site from password guessing.
What is the principle of the plugin? When someone tries to get into your admin area and incorrectly enters data, login or password, a certain number of times over a certain period of time, Login LockDown blocks the IP address from which the access attempt occurred for a certain amount of time.
Installing the plugin
You can install the plugin through the built-in WordPress manager. To do this, in the control panel you need to go to Plugins->Add new.
Enter the name of the plugin in the search field.
Select the plugin from the search results and click install.
After installing Login LockDown, you need to activate it immediately.
Now you can proceed to setting up the extension.
Let's go to Settings->Login LockDown
The plugin doesn't have many settings. Let's go through them briefly.
- Max Login Retrieves— maximum number of attempts. The default is 3, which means that after three unsuccessful login attempts, access from this IP will be blocked.
- Retry Time Period Restriction (minutes)— the period of time in minutes for which unsuccessful login attempts are counted. The default is 5. That is, if the wrong password is entered 3 times within five minutes, the password will be blocked.
- Lockout Length (minutes)— the period of time for which a suspicious IP is blocked. Default 60 min.
- Lockout Invalid Usernames?— Should an incorrect login be counted? Disabled by default. If the function is disabled, the plugin does not count the entry of an incorrect login. That is, theoretically, if an attacker knows the password for the admin panel, then he will be able to guess the login as many times as he wants.
- Mask Login Errors?— Mask login errors? Disabled by default. If the function is disabled, then when you enter incorrect data, a message appears notifying you what exactly was entered incorrectly - login or password.
When the function is enabled, the message will not specify where exactly the error was made.
- Show Credit Link?— Show a link to Login LockDown. Choose from: show a link to the plugin website, show a link but with a nofollow tag, or not show a link.
- Currently Locked Out— list of blocked IPs and time until unblocking. Here you can unblock your IP.
This is what Login LockDown is. After changing the settings, save them and now your blog will be a little more secure.
Previous postNext entry
One of the first steps to setting up the security of your WordPress site should be securing the admin panel authorization. The popular Login LockDown plugin will help us with this, which will help protect you from brute force passwords and login by malicious bots.
In order to get started with Login LockDown you need to first. After installation, go to the menu item Settings/Login LockDown and start working with the plugin. But first, let's look at the functionality.
Article navigation:
Description of work Login LockDown.
Login LockDown remembers the IP address and flags each failed login attempt. If a number of login attempts greater than a certain number specified in the settings are detected within a short period of time from the same IP range, then the Login function is disabled for all requests from this range. This helps prevent malicious programs and people from brute-forcing your passwords. The plugin currently sets the default IP block for 1 hour after 3 failed login attempts within 5 minutes. This can be changed from the plugin settings panel. You can also release a blocked IP range manually.
By going to the Login LockDown plugin settings menu, the following adjustment forms will become available to us.
In the first field of the form, we need to indicate the maximum number of unsuccessful login attempts, after which IP blocking will be enabled; this field must have a non-zero value, otherwise the blocking will not work.
In the next paragraph, we need to indicate the acceptable frequency of entering incorrect data. By default, the time is set to one minute, that is, by observing the time zone between attempts of one minute, you can bypass the blocking.
The next step in configuring Login LockDown is to enable blocking when an incorrect login is entered. If Yes is active, blocking will not be enabled.
WordPress notifies the user if certain parameters are entered incorrectly, which can speed up hacking, so it is recommended to disable these prompts. By setting the parameter to “Yes”.
By default, the Login LockDown plugin shows users a link to the plugin, so that others can also secure their sites, I recommend disabling this function by setting the parameter as shown in the picture.
After entering all the Login LockDown settings, click the Save Changes button. This completes the plugin setup.
In order to remove IP blocking manually, you need to use a special form, which is located at the very bottom of the settings.
If such IP addresses have been blocked, then you will need to remove them from the list.
Using this simple plugin, you can significantly reduce the risk of your site being hacked through WordPress authentication, which is one of the most popular hacking methods.
02/27/2017 Romchik
Good day. In this article we will look at one of the issues of protecting a website on WordPress, or more precisely protecting the WordPress admin area. To be more precise, let’s look at a plugin that allows you to limit the number of attempts to log into the WordPress admin area. We will install and configure the WordPress Login LockDown plugin.
First, you need to download and install the Login LockDown plugin from the official website. Installing this plugin is not difficult, so we won’t dwell on it.
Let's take a closer look at the setting.
Plugin Features –Login LockDown
The plugin allows you to block an IP address for a while if there have been several unsuccessful login attempts over a certain period of time. What is this for? This is normal protection against brute force (username and password guessing). Here is an example from life, my blog, screenshot from the access.log file
As you can see, a user with IP address 124.104.31.203 is trying to do something on the login page. And he tried to guess the login and password. After several attempts, his IP address was blocked.
Plugin setup – Login LockDown
Go to Settings -> Login LockDown and get to the plugin settings page.
In the first field we indicate the maximum number of incorrect attempts.
In the second field we indicate during what period attempts are taken into account (indicate in minutes)
In the third field we indicate the period in minutes for which we will block the user.
After all the settings, click “Update Settings”
The settings for the Login LockDown plugin, which is used to protect WordPress, are complete.
But, if you noticed, there is another “Activity” tab, which displays blocked IP addresses.
Conclusion
We have configured the Login LockDown plugin, which allows you to protect your WordPress website from brute force attacks.
In order not to miss the release of new articles, subscribe.