Login Security Solution

Wordpress Plugin
Download latest - 0.30.0



Download Stats

Today 18
Yesterday 18
Last Week 162
All Time 272,010

A simple way to lock down login security for multisite and regular WordPress installations.

  • Blocks brute force and dictionary attacks without inconveniencing legitimate users or administrators

    • Tracks IP addresses, usernames, and passwords
    • Monitors logins made by form submissions and auth cookies
    • If a login failure uses data matching a past failure, the plugin slows down response times. The more failures, the longer the delay. This limits attackers ability to effectively probe your site, so they'll give up and go find an easier target.
    • If an account seems breached, the "user" is immediately logged out and forced to use WordPress' password reset utility. This prevents any damage from being done and verifies the user's identity. But if the user is coming in from an IP address they have used in the past, an email is sent to the user making sure it was them logging in. All without intervention by an administrator.
    • Can notify the administrator of attacks and breaches
    • Supports IPv6
  • Thoroughly examines and enforces password strength. Includes full UTF-8 character set support if PHP's mbstring extension is enabled. The tests have caught every password dictionary entry I've tried.

    • Minimum length (customizable)
    • Doesn't match blog info
    • Doesn't match user data
    • Must either have numbers, punctuation, upper and lower case characters or be very long. Note: alphabets with only one case (e.g. Arabic, Hebrew, etc.) are automatically exempted from the upper/lower case requirement.
    • Non-sequential codepoints
    • Non-sequential keystrokes (custom sequence files can be added)
    • Not in the password dictionary files you've provided (if any)
    • Decodes "leet" speak
    • The password/phrase is not found by the dict dictionary program (if available)
  • Password aging (optional) (not recommended)

    • Users need to change password every x days (customizable)
    • Grace period for picking a new password (customizable)
    • Remembers old passwords (quantity is customizable)
  • Administrators can require all users to change their passwords

    • Done via a flag in each user's database entry
    • No mail is sent, keeping your server off of spam lists
  • Logs out idle sessions (optional) (idle time is customizable)

  • Maintenance mode (optional)

    • Publicly viewable content remains visible
    • Disables logins by all users, except administrators
    • Logs out existing sessions, except administrators
    • Disables posting of comments
    • Useful for maintenance or emergency reasons
    • This is separate from WordPress' maintenance mode
  • Prevents information disclosures from failed logins

Improvements Over Similar WordPress Plugins

  • Multisite network support
  • Monitors authentication cookies for bad user names and hashes
  • Adjusts WordPress' password policy user interfaces
  • Takes security seriously so the plugin itself does not open your site to SQL, HTML, or header injection vulnerabilities
  • Notice-free code means no information disclosures if display_errors is on and error_reporting includes E_NOTICE
  • Only loads files, actions, and filters needed for enabled options and the page's context
  • Provides an option to have deactivation remove all of this plugin's data from the database
  • Uses WordPress' features rather than fighting or overriding them
  • No advertising, promotions, or beacons
  • Proper internationalization support
  • Clean, documented code
  • Unit tests covering 100% of the main class
  • Internationalized unit tests

For reference, the similar plugins include:

  • Better WP Security
  • Limit Login Attempts
  • Login Lock
  • Login LockDown
  • PMC Lockdown
  • Simple Login Lockdown

Compatibility with Other Plugins

Some plugins provide similar functionality. These overlaps can lead to conflicts during program execution. Please read the FAQ!


  • Franais, franais (French, France) (fr_FR) by mermouy
  • Portugus, Brasil (Portugese, Brazil) (pt_BR) by Valdir Trombini

Why Strong, Unique Passwords Are Important

Yeah, creating, storing/remembering, and using a different, strong password for each site you use is a hassle. But it is absolutely necessary.

Password lists get stolen on a regular basis from big name sites (like Linkedin for example!). Criminals then have unlimited time to decode the passwords. In general, 50% of those passwords are so weak they get figured out in a matter of seconds. Plus there are computers on the Internet dedicated to pounding the sites with login attempts, hoping to get lucky.

Many people use the same password for multiple sites. Once an attacker figures out your password on one site, they'll try it on your accounts at other sites. It gets ugly very fast.

But don't despair! There are good, free tools that make doing the right thing a piece of cake. For example: KeePassX, KeePass, or 1Password

Securing Your WordPress Site is Important

You're probably thinking "There's nothing valuable on my website. No one will bother breaking into it." What you need to realize is that attackers are going after your visitors. They put stealth code on your website that pushes malware into your readers' browsers.

According to SophosLabs more than 30,000 websites are infected every day and 80% of those infected sites are legitimate. Eighty-five percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web. Today, drive-by downloads have become the top web threat.

-- Security Threat Report 2012

So if your site does get cracked, not only do you waste hours cleaning up, your reputation gets sullied, security software flags your site as dangerous, and worst of all, you've inadvertently helped infect the computers of your clients and friends. Oh, and if the attack involves malware, that malware has probably gotten itself into your computer.

Releases (35 )

Version Release Date Change Log
0.30.0 2012-09-17

(2012-09-17) = * Translate "Confirm" and "No thanks" phrases on the settings screen. * Adjust readme to indicate that development has moved to GitHub.

0.29.0 2012-09-17

(2012-09-17) = * Adjust formatting of the CREATE TABLE statement in activate() to prevent WordPress' dbDelta() from creating duplicate keys each time the plugin is activated.

0.28.1 2012-09-15

(2012-09-15) = * Update .mo translation files.

0.28.0 2012-09-15

(2012-09-15) = * Remove loophole: slow down successful logins as well (for non-verified IP addresses). Keeps attackers from using timeouts to skip our delayed responses to failed login attempts. * Reduce false positives for breach notifications and password resets: - Allow users through without incident if the user's Network IP failure count is less than the "Breach Email Confirm" setting. The old behavior was to do so only if the Network IP failure count was 0. - Add user's current IP to their verified IP list whenever they save their profile page, not just when they change their password. - Fix when user notifications are sent. Do so if the IP address is NOT verified instead of if the IP address IS verified. Duh. - Don't notify administrators of a successful login if the user is coming in from a verified IP address. - Change subject line of user notification emails to differentiate them from emails sent to admins. - Reword user notification email and have it explain how to reduce future hassles. * Remove URIs from user notification email to avoid phishing imitations. * Add pt_BR translation. Thanks to Valdir Trombini. * Put plugin version number in admin notification emails. * Update the fr_FR translation: update password policy, add settings page. * Put Unicode flag on the two preg calls that didn't have it. Fixes password parsing problem on Windows. * Add date to log() messages. * Unit tests pass using PHP 5.4.5-dev, 5.3.16-dev, and 5.2.18-dev. * Tested under WordPress 3.4.2 using regular and multisite. * Also tested on Windows 7 using PHP 5.4.5 and WordPress 3.4.1.

0.27.0 2012-09-04
  • Remove the password policy explanation link added in 0.26.0.
0.26.0 2012-09-01
  • Put a link in the password policy to an explanation of why it's necessary.
0.25.0 2012-08-29
  • Load text domain for password policy on password reset page.
  • Have password policy mention that it can't contain words related to the user or the website.
0.24.0 2012-08-29
  • Keep the password strength indicator from being enabled.
  • Narrow down when the password policy text filter is enabled.
0.23.0 2012-08-24
  • Split user and site info into components before comparing them.
  • Increase minimum password length to 10 characters.
0.22.0 2012-08-17
  • Track a given IP, user name, password combination only once.
  • Prevent "not a valid MySQL-Link resource" on auth cookie failure.
  • Increase default value of login_fail_notify from 20 to 50.
  • Add partial French translation. Settings page needs doing. Thanks mermouy!
0.21.0 2012-08-07
  • Fix is_pw_outside_ascii() to permit spaces.
  • In multisite mode, send notifications to network admin, not blog admin.
  • Add "Notifiations To" setting for admins to specify the email addresses the failure and breach notifications get sent to. (Request #1560)
  • Clarify that the Change All Passwords link just goes to the UI.
  • Get all unit tests to pass when mbstring isn't enabled.
  • Internationalize the unit tests.
  • Rename admin.inc to admin.php.
  • Rename temporary files holding actual test results. (Bug #1552 redux)
  • Unit tests pass using PHP 5.4.5-dev, 5.3.16-dev, and 5.2.18-dev.
  • Tested under WordPress 3.4.1 using regular and multisite.
  • Also tested on Windows 7 using PHP 5.4.5 and WordPress 3.4.1.
0.20.2 2012-07-12
  • Ugh, update the translation pot file.
0.20.1 2012-07-12
  • Add "numbers" to the password policy text.
0.20.0 2012-07-12
  • Replace WP's password policy text with our own.
0.19.0 2012-07-11
  • Remove inadvertent log call added in 0.17.0.
0.18.0 2012-07-11
  • Keep legit user from having to repeatedly reset pw during active attacks against their user name.
0.17.0 2012-07-09
  • Fix network IP query in get_login_fail(). (Bug #1553, deanmarktaylor)
  • Rename files holding expected test results. (Bug #1552, deanmarktaylor)
0.16.0 2012-07-08
  • Have shell script gracefully handle value already being the desired value.
0.15.0 2012-07-06
  • Log auth cookie failures too.
  • Clean up sleep logic. (Bug #1549, deanmarktaylor)
0.14.0 2012-07-05
  • Fix emails being mistakenly sent in multisite mode that say "There have been at least 0 failed attempts to log in". (Bug #1548, deanmarktaylor)
  • Add an .htaccess file that blocks access to this plugin's directory.
0.13.0 2012-07-01
  • Add a script for turning our "Disable Logins" feature on and off from the command line.
0.12.0 2012-06-30
  • Display a notice on top of admin pages when our maintenance mode is enabled.
0.11.0 2012-06-28
  • Use POST value for $user_name in login_errors() because global value isn't always set.
  • Add some more (commented out) log() calls to help users help me help them.
0.10.0 2012-06-16
  • Catch $user_ID not being set during "Change All Passwords" submission.
  • Add (commented out) log() calls in important spots. Enables users to help me help them.
0.9.0 2012-06-16
  • Fix change that prevented users from logging in after using the password reset process with an insecure password. Users can now pick a better password right on the spot.
  • Regenerate translation POT file.
  • Tested under WordPress 3.3.2 and 3.4RC3, both using regular and multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
0.8.0 2012-04-29
  • Fix logging user out a second time after WordPress expires cookies.
  • It turns out this plugin requires WordPress 3.3, not 3.0.
  • Tested under WordPress 3.3.2 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
0.7.0 2012-04-25
  • The "lost your password" process now validates passwords.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
0.6.1 2012-04-19
  • Minor wording adjustments.
0.6.0 2012-04-18
  • Use ENT_QUOTES instead of ENT_COMPAT in htmlspecialchars() calls because WordPress mixes and matches the double and single quotes to delimit attributes.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
0.5.0 2012-04-18
  • Have multisite network mode use the saved options instead of the defaults.
  • Close more HTML injection vectors. (One would think WordPress' built in functions would already do this. Alas...)
  • Get the success/error messages to work when saving settings via the Network Admin page.
  • Improve unit tests by ensuring the fail table uses InnoDB.
  • Tested under WordPress 3.3.1 regular and 3.4beta2 multisite.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
0.4.0 2012-04-17
  • Add multisite network support.
  • Keep unit tests from deleting settings. Note: removes the ability to run the unit tests without activating the plugin.
0.3.0 2012-04-04
  • Use UTF-8 encoding for htmlspecialchars() instead of DB_CHARSET.
  • Tested under WordPress 3.3.1.
  • Unit tests pass using PHP 5.4.0RC8-dev, 5.3.11-dev, and 5.2.18-dev.
0.2.1 2012-04-03
  • Ensure all files are in the state I intended. Needed because WordPress' plugin site automatically rolls releases.
0.1.0 2012-03-27
  • Beta release.
0.0.4 2012-03-22
  • Initial import to plugins.svn.wordpress.org.