Beschreibung
Limit Login Attempts Reloaded functions as a robust deterrent against brute force attacks, bolstering your website’s security measures and optimizing its performance. It achieves this by restricting the number of login attempts allowed. This applies not only to the standard login method, but also to XMLRPC, Woocommerce, and custom login pages. With more than 2.5 million active users, this plugin fulfills all your login security requirements.
The plugin functions by automatically preventing further attempts from a particular Internet Protocol (IP) address and/or username once a predetermined limit of retries has been surpassed. This significantly weakens the effectiveness of brute force attacks on your website.
By default, WordPress permits an unlimited number of login attempts, posing a vulnerability where passwords can be easily deciphered through brute force methods.
Limit Login Attempts Reloaded Premium (Try For 7 Days)
Upgrade to our premium version to extend cloud-based protection to the Limit Login Attempts Reloaded plugin, thereby enhancing your login security. The premium version includes a range of highly beneficial features, including IP intelligence to detect, counter and deny malicious login attempts. Your failed login attempts will be safely neutralized in the cloud so your website can function at its optimal performance during an attack. Activate the premium version now to fortify your login security using the most trusted login security plugin available!
Features (Free Version):
- Limit Logins – Limit the number of retry attempts when logging in (per each IP).
- Configurable Lockout Timings – Modify the amount of time a user or IP must wait after a lockout.
- Remaining Tries – Informs the user about the remaining retries or lockout time on the login page.
- Lockout Email Notifications – Informs the admin via email of lockouts.
- Denied Attempt Logs – View a log of all denied attempts and lockouts.
- IP & Username Safelist/Denylist – Control access to usernames and IPs.
- Sucuri-Kompatibilität
- Wordfence-Kompatibilität
- Ultimate Member compatibility.
- Schutz der XMLRPC-Schnittstelle.
- Schutz der Woocommerce-Loginseite.
- Multi-site compatibility with extra MU settings.
- DSGVO-konform.
- Custom IP origins support (Cloudflare, Sucuri, etc.).
Features (Premium Version):
- Performance Optimizer – Offload the burden of excessive failed logins from your server to protect your server resources, resulting in improved speed and efficiency of your website.
- Enhanced IP Intelligence – Identify repetitive and suspicious login attempts to detect potential brute force attacks. IPs with known malicious activity are stored and used to help prevent and counter future attacks.
- Enhanced Throttling – Longer lockout intervals each time a malicious IP or username tries to login unsuccessfully.
- Deny By Country – Deny IPs by country.
- Auto IP Denylist – Automatically add IP addresses to your active cloud deny list that repeatedly fail login attempts.
- Global Denylist Protection – Utilize our active cloud IP data from thousands of websites in the LLAR network.
- Synchronized Lockouts – Lockout IP data can be shared between multiple domains for enhanced protection in your network.
- Synchronized Safelist/Denylist – Safelist/Denylist IP and username data can be shared between multiple domains.
- Premium Support – Email support with a security tech.
- Auto Backups of All IP Data – Store your active IP data in the cloud.
- Enhanced lockout logs – Gain valuable insights into the origins of IPs that are attempting logins.
- CSV Download of IP Data – Download IP data direclty from the cloud.
- Supports IPV6 Ranges For Safelist/Denylist
- Unlock The Locked Admin – Easily unlock the locked admin through the cloud.
*Some features require higher level plans. Please view our pricing for a full list of plans and features.
Upgrade vom alten Plugin Limit Login Attempts durchführen?
- Gehe zum Pluginbereich im Backend deiner Website.
- Entferne das Plugin „Limit Login Attempts“.
- Installiere das Plugin „Limit Login Attempts Reloaded“.
Alle deine Einstellungen bleiben intakt!
Viele Sprachen sind in Limit Login Attempts Reloaded bereits enthalten, aber wir freuen uns über jede weitere.
Hilf uns, Limit Login Attempts Reloaded in mehr Ländern zu verbreiten.
Übersetzungen: Bulgarisch, Portugisisch (Brasilien), Katalanisch, Chinesisch (Traditionell), Tschechisch, Niederländig, Finnisch, Französisch, Deutsch, Ungarisch, Norwegisch, Persisch, Rumänisch, Russisch, Spanisch, Schwedisch, Türkisch
Das Plugin benutzt nur Standardaktionen und -filter.
Basierend auf dem originalen Code des Plugins „Limit Login Attempts“ von Johan Eenfeldt.
Branding Guidelines
Limit Login Attempts Reloaded™ is a trademark of Atlantic Silicon Inc. When writing about the plugin, please make sure to use Reloaded after Limit Login Attempts. Limit Login Attempts is the old plugin.
- Limit Login Attempts Reloaded (correct)
- Limit Login Attempts (incorrect)
Screenshots
FAQ
-
What do I do if all users get blocked?
-
If you are using contemporary hosting, it’s likely your site uses a proxy domain service like CloudFlare, Sucuri, Nginx, etc. They replace your user’s IP address with their own. If your server is not configured properly, all users will get the same IP address. This also applies to bots and hackers. Therefore, locking one user will lead to locking everybody else out. In the free version of the plugin, this can be adjusted using the Trusted IP Origin setting. In the premium version, the cloud service intelligently recognizes the non-standard IP origins and handles them correctly, even if your hosting provider does not.
-
How do I know if I’m under attack?
-
An easy way to check if the attack is legitimate is to copy the IP address from the lockout notification, and go to https://whatismyipaddress.com/ip-lookup. Enter in the IP address to see if you recognize the location. If the location is not somewhere you recognize and you have received several failed login attempts, then you are likely being attacked. You might notice dozens or hundreds of IPs each day.
-
After you upgrade to our premium version, you will see a new dashboard in your WordPress admin that shows all attacks that will now relay through our cloud service.
You will still see the attacks because they will never stop regardless if you upgrade, but now our cloud service will safely process and neutralize them without taking resources from your site. This is very important and positively impacts your site’s stability and performance.
In some cases, you may notice an increase in speed and efficiency with your website. Also, a reduction in lockout notifications via email.
-
Could these failed login attempts be fake?
-
Some users feel that it’s impossible to receive so many failed login attempts, especially since they’re site was just created or they have minimal human traffic. Let us be clear that these failed login attempts are NOT generated by the plugin. New websites are often hosted on a shared IP address, which makes it very easy for hackers to find. Also, new domain names are often crawled once they are created, so as soon as a WordPress website is built on it, it’s vulnerable to attacks. New websites are often the best target since security is not top of mind for site owners.
-
What happens if my site exceeds the request limits in the plan?
-
The premium plan’s resource limits start from 100,000 requests per month, which should accept almost any heavy brute-force attack. We monitor all of our sites and will alert the user if it appears they are going over their limits. If limits are reached, we will suggest to the user upgrading to the next plan. If you are using the free version, the load caused by brute force attacks will be absorbed by your current hosting bandwidth, which could cause your hosting costs to increase.
-
What URLs are being attacked and protected?
-
The URLs being protected are your login page (wp-login.php, wp-admin), xmlrpc.php, WooCommerce login page, and any custom login page you have that uses regular WordPress login hooks.
-
Why is LLAR more popular than other brute-force protection plugins?
-
Our main focus is protecting your site from brute-force attacks. This allows our plugin to be very lean and effective. It doesn’t require a lot of your web hosting resources and keeps your site well-protected. More importantly, it does all of this automatically as our service learns on its own about each IP it encounters. In contrast, a firewall would require manual addition or removal of IPs. We’ve published an article about it here.
-
What to do when an admin gets blocked?
-
Open the site from another IP. You can do this from your cell phone, or using Opera browser and enabling free VPN there. You can also try turning off your router for a few minutes and then see if you get a different IP address. These will work if your hosting server is configured correctly. If that doesn’t work, connect to the site using FTP or your hosting control panel file manager. Navigate to wp-content/plugins/ and rename the limit-login-attempts-reloaded folder. Log in to the site then rename that folder back and whitelist your IP. By upgrading to our premium app, you will have the unlocking functionality right from the cloud so you’ll never have to deal with this issue.
-
What settings should I use In the plugin?
-
The settings are explained within the plugin in great detail. If you are unsure, use the default settings as they are the recommended ones.
-
By default, you will need to copy and paste the lists to each site manually. For the premium service, sites are grouped within the same private cloud account. Each site within that group can be configured if it shares its lockouts and access lists with other group members. The setting is located in the plugin’s interface. The default options are recommended.
Rezensionen
Mitwirkende & Entwickler
„Limit Login Attempts Reloaded“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:
Mitwirkende„Limit Login Attempts Reloaded“ wurde in 34 Sprachen übersetzt. Danke an die Übersetzerinnen und Übersetzer für ihre Mitwirkung.
Übersetze „Limit Login Attempts Reloaded“ in deine Sprache.
Interessiert an der Entwicklung?
Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.
Änderungsprotokoll
2.25.25
- PHP 8.2/9 compatibility improved, thanks to Jer Turowetz!
- Button size and text typo fixed.
2.25.24
- Better loading of translations.
- Fixed PHP warning related to menu.
2.25.23
- Better side menu.
- Fixed I18N issues, thanks to alexclassroom!
2.25.22
- Interface changes.
- Tested with WP 6.3.
2.25.21
- Optimization: autoload for large options turned off.
- Interface changes.
2.25.20
- Fix against network requests caching removed b/c some misconfigured servers can’t handle it.
2.25.19
- Better handling of network connection issues.
- Fixed responsive formatting on dashboard.
- Added fix against network requests caching.
2.25.18
- Fixed errors occurring in situations where two versions of the plugin are installed (which should not normally happen).
2.25.17
- Überarbeitung.
- Server load reducing optimization.
2.25.16
- Double slashes in paths removed.
- Better handling of cloud response codes.
2.25.15
- Error messages logic fixed.
2.25.14
- Multisite support improved.
- CSS outside of the plugin issue fixed.
- Better number formatting on the dashboard.
- Lockout email template updated.
2.25.13
- Ultimate Member compatibility.
- Fixed conflicting URL parameters in some rare cases.
- Updated attempts counter logic.
2.25.12
- Fixed IPv4 validation when passed with a port number.
- Fixed texts and translations.
2.25.11
- PHP 8 compatibility fixed.
- Logs loading issue fixed.
- Help and Extensions tabs added.
- Notification about auto updates added.
- Displaying of plugin version added.
- Text changes made.
2.25.10
- Tested with PHP 8.
- Small styles refactoring.
- Fixed a rare issue with events log not being displayed correctly.
- Chart library updated.
2.25.9
- Welcome page replaced with a modal.
2.25.8
- Email text, links updated.
2.25.7
- Country flags added to log.
- Refresh button added to log.
- Email text updated.
2.25.6
- Email links updated.
2.25.5
- Fixed Woocommerce integration.
- Updated some interface links.
2.25.4
- Fixed session error in rare cases.
- Access rules explained.
- Improved session behavior on the login page.
- Fixed warning on some GoDaddy installations.
2.25.3
- Improved compatibility with WordFence.
- Better handling of HTTP_X_FORWARDED_FOR on Debug tab.
- Added option to hide warning badge.
2.25.2
- Security indicator fixed for multisite.
2.25.1
- Added setting to turn the dashboard widged off.
- The widget is visible to admins only.
2.25.0
- Dashboard widged added.
- Security indicator added.
2.24.1
- Fixed E_ERROR occurring in rare cases when the log table is corrupted.
2.24.0
- Protection increased: bots can’t parse lockout messages anymore.
2.23.2
- Cloud: better unlock UX.
- Litle cleanup.
2.23.1
- Added infinite scroll for cloud logs.
2.23.0
- Reduced plugin size by removing obsolete translations.
- Cleaned up the dashboard.
- Cloud: added information about auto/manually-blocked IPs.
- GDPR: added an option to insert a link to a Privacy Policy page via a shortcode, clarified GDPR compliance.
2.22.1
- IP added to the email subject.
2.22.0
- Added support of CIDR notation for specifying IP ranges.
- Texts updated.
- Überarbeitung.
2.21.1
- Fixed: Uncaught Error: Call to a member function stats()
- Cloud API: added block by country.
- Überarbeitung.
2.21.0
- GDPR compliance: IPs obfuscation replaced with a customizable consent message on the login page.
- Cloud API: fixed removing of blocked IPs from the access lists under certain conditions.
- Cloud API: domain for Setup Code is taken from the WordPress settings now.
2.20.6
- Multisite tab links fixed.
2.20.5
- Option to show and hide the top-level menu item.
2.20.4
- Sucuri compatibility verified.
- Wordfence compatibility verified.
- Better menu navigation.
- Timezones fixed for the global chart.
2.20.3
- More clear wording.
- Cloud API: fixed double submit in the settings form.
- Better displaying of stats.
2.20.2
- Updated email text.
2.20.1
- New dashboard more clear stats.
2.20.0
- New dashboard with simple stats.
2.19.2
- Texts and links updated.
2.19.1
- Welcome page.
- Image and text updates.
2.19.0
- Überarbeitung.
- Feedback message location fixed.
- Text changes.
2.18.0
- Cloud API: usage chart added.
- Text changes.
2.17.4
- Missing jQuery images added.
- PHP 5 compatibility fixed.
- Custom App setup link replaced with setup code.
2.17.3
- Plugin pages message.
2.17.2
- Lockout notification refactored.
2.17.1
- CSS cache issue fixed.
- Notification text updated.
2.17.0
- Überarbeitung.
- Email text and notification updated.
- New links in the list of plugins.
2.16.0
- Custom Apps functionality implemented. More details: https://limitloginattempts.com/app/
2.15.2
- Alternative method of closing the feedback message.
2.15.1
- Überarbeitung.
2.15.0
- Die Möglichkeit, das Passwort zurückzusetzen, wurde als ungebraucht entfernt.
- Kleine Überarbeitung.
2.14.0
- BuddyPress-Anmeldefehler-Kompatibilität implementiert.
- UltimateMember-Kompatibilität implementiert.
- Eine PHP-Warnung wurde behoben.
2.13.0
- Inkompatibilität mit PHP < 5.6 behoben.
- Das Seitenlayout der Einstellungen wurde überarbeitet.
2.12.3
- Die Antwort wird jetzt nur für Administratoren angezeigt und kann auch geschlossen werden, wenn auf der Website Probleme mit AJAX auftreten.
2.12.2
- Fixed the feedback message not being shown, again.
2.12.1
- Fixed the feedback message not being shown.
2.12.0
- Kleine Überarbeitung.
- get_message() – Fehlermeldungen behoben.
- Das ist das erste Mal, dass wir nach Feedback fragen.
2.11.0
- Benutzernamen von der Sperrliste können nicht mehr registriert werden.
2.10.1
- Behoben: Option für die Einhaltung der DSGVO konnte in Multisite-Installationen nicht ausgewählt werden.
2.10.0
- Debug-Information wurde für besseren Support hinzugefügt.
2.9.0
- Herkunftsoption für vertrauenswürdige IP wurde hinzugefügt.
2.8.1
- Extra-Aussperrungsoptionen sind zurück.
2.8.0
- Das Plugin vertraut keinen anderen IP-Adressen mehr als _SERVER[„REMOTE_ADDR“]. Das Vertrauen in andere IP-Ursprünge macht den Schutz unbrauchbar, da sie leicht gefälscht werden können. Diese neue Version bietet eine Möglichkeit zum sicheren Entsperren von IP-Adressen für Websites, die einen Reverse-Proxy in Verbindung mit falsch konfigurierten Servern benutzen, die _SERVER[„REMOTE_ADDR“] mit falschen IPs füllen, was zu einer Massenblockierung von Benutzern führt.
2.7.4
- Die Aussperrungs-Meldungen können jetzt an eine definierbare E-Mail-Adresse geschickt werden.
2.7.3
- Einstellungsseite wieder zu finden unter „Einstellungen“
2.7.2
- Einstellungen wurden verlagert auf eine gesonderte Seite
- Korrigiert: Anmeldefehlermeldung. https://wordpress.org/support/topic/how-to-change-login-error-message/
2.7.1
- Ein Sicherheitsproblem des Vorgängerplugin Limit Login Attempts wurde beseitigt.
2.7.0
-
DSGVO-Kompatibilität implementiert
-
Beseitigt: ip_in_range() loop $ip überschrieb sich selbst wegen inkorrekten Ergebnissen.
https://wordpress.org/support/topic/ip_in_range-loop-ip-overrides-itself-causing-invalid-results/ -
Beseitigt: Das Plugin sperrte die selbe IP mehrmals, jedesmal mit einem anderen Port.
https://wordpress.org/support/topic/same-ip-different-port/
2.6.3
- Unterstützung von Sucuri Website Firewall hinzugefügt.
2.6.2
- Problem mit Backslashes in Benutzernamen gelöst.
2.6.1
-
Das Plugin gibt den „403 Forbidden“ Header zurück wenn die maximale Zahl der Anmeldeversucht per XMLRPC erreicht ist.
-
Die Whitelists und Blacklists unterstützen jetzt die Angabe von IP-Bereichen.
-
Aussperrungen können gezielt aufgehoben werden.
-
Problem mit dem encoding von speziellen Symbolen in Mailbenachrichtigungen beseitigt.
2.5.0
- Multisite-Kompatibilität und weitere MU-Einstellungen hinzugefügt. https://wordpress.org/support/topic/multisite-compatibility-47/
2.4.0
- Benutzernamen und IP-Adressen können nun auf eine white- oder blacklist eingetragen werden. https://wordpress.org/support/topic/banning-specific-usernames/ https://wordpress.org/support/topic/good-831/
- Das Aussperrungslog wurde umgedreht. https://wordpress.org/support/topic/inverse-log/
2.3.0
- IP-Adressen können nun in eine Whithelist eingetragen werden. https://wordpress.org/support/topic/legal-user/
- Eine „Gateway“-Zeile wurde zum Aussperrungsprotokoll hinzugefügt. Sie zeigt, an welchem Endpunkt ein Angreifer gesperrt wurde. https://wordpress.org/support/topic/xmlrpc-7/
- Der Fehler „Undefined index: client_type“ ist beseitigt. https://wordpress.org/support/topic/php-notice-when-updating-settings-page/
2.2.0
- „Handle cookie login“ Einstellung entfernt weil nicht mehr benötigt.
- Bruteforceschutz gegen WooCommerce-Anmeldeseiten-Angriffe hinzugefügt. https://wordpress.org/support/topic/how-to-integrate-with-woocommerce-2/
- Bruteforce-Schutz für XMLRPC-Angriffe hinzugefügt. https://wordpress.org/support/topic/xmlrpc-7/
2.1.0
- Die Verbindungseinstellungen werden jetzt automatisch angewendet und wurden daher von der Verwaltungsoberfläche entfernt.
- Jetzt kompatibel mit PHP 5.2, um ältere WP-Installationen zu unterstützen.
2.0.0
- Beseitigte PHP-Warnung: „Illegal offset type in isset or empty“ https://wordpress.org/support/topic/limit-login-attempts-generating-php-errors
- Probleme mit veralteten Funktionen beseitigt
https://wordpress.org/support/topic/using-deprecated-function - Fehler mit Funktionsargumenten behoben: https://wordpress.org/support/topic/warning-missing-argument-2-5
- Zeitstempel bei nicht erfolgreichen Anmeldeversuchen auf der Plugin-Einstellungsseite hinzugefügt.
- Beseitigt: Probleme mit .po Übersetzungsdateien.
- Code-Überarbeitung und -optimierung.