Hast du schon an der WordPress-Umfrage 2019 teilgenommen?
Zum Inhalt springen

WordPress.org

Deutsch

  • Startseite
  • Themes
  • Plugins
  • Blog
  • Hilfe
  • Meetups
  • Mitmachen
  • FAQ
  • Über
  • Hol dir WordPress

Plugins

  • Meine Favoriten
  • Beta-Test
  • Entwickler

Dieses Plugin ist nicht mit den jüngsten 3 Hauptversionen von WordPress getestet worden. Es wird möglicherweise nicht mehr gewartet oder unterstützt und kann Kompatibilitätsprobleme haben, wenn es mit neueren Versionen von WordPress verwendet wird.

Herunterladen

Limit Login Attempts

Von Johan Eenfeldt
  • Details
  • Rezensionen
  • Installation
  • Support
  • Entwicklung

Beschreibung

Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

Funktionen

  • Limit the number of retry attempts when logging in (for each IP). Fully customizable
  • Limit the number of attempts to log in using auth cookies in same way
  • Informs user about remaining retries or lockout time on login page
  • Optional logging, optional email notification
  • Handles server behind reverse proxy
  • It is possible to whitelist IPs using a filter. But you probably shouldn’t. 🙂

Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish

Plugin uses standard actions and filters only.

Screenshots

  • Loginscreen after failed login with retries remaining
  • Loginscreen during lockout
  • Administration interface in WordPress 3.0.4

Installation

  1. Lade die Plugin-Dateien herunter und entpacke sie in das wp-content/plugin Verzeichnis.
  2. Aktiviere das Plugin über das WordPress-Admin-Interface.
  3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.

If you have any questions or problems please make a post here: https://wordpress.org/tags/limit-login-attempts

FAQ

Installation Instructions
  1. Lade die Plugin-Dateien herunter und entpacke sie in das wp-content/plugin Verzeichnis.
  2. Aktiviere das Plugin über das WordPress-Admin-Interface.
  3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.

If you have any questions or problems please make a post here: https://wordpress.org/tags/limit-login-attempts

Why not reset failed attempts on a successful login?

Dies ist absichtlich so konzipiert. Sonst könnte man das Administratoren Passwort durch Ausprobieren herausfinden, indem du dich bei jedem 4. Anmeldeversuch mit deinem eigenen Account anmeldest.

What is this option about site connection and reverse proxy?

Ein Revers-Proxy ist ein Server zwischen der Website und dem Internet (der möglicherweise das Caching oder Load-balancing übernimmt). Das macht es etwas schwieriger, die richtige Client IP zu ermitteln, die blockiert werde soll.

Die Standard Option, dass du dich nicht hinter einem Proxy befindest – was bei Weitem am häufigsten vorkommen sollte.

Woher weiß ich, dass sich meine Website hinter einem Reverse-Proxy befindet?

Wahrscheinlich wirst du das nicht tun, oder aber du kennst dich wirklich gut aus. Die Options Seite liefert eine gute erste Einschätzung. Setze die Option, indem du diese nutzt, außer du bist dir sicher, dass du es besser weißt.

Kann ich meine IP auf die Whitelist setzen, damit ich nicht ausgesperrt werde?

Zuallererst eine Bitte: Überlege, ob du das wirklich brauchst. Allgemein gesagt ist es keine gute Idee, Ausnahmen in deinen Sicherheits-Richtlinien zuzulassen.

Dies vorausgeschickt, gibt es jetzt also einen Filter, der es dir ermöglicht und zwar: „limit_login_whitelist_ip“

Example:
function my_ip_whitelist($allow, $ip) {
return ($ip == ‚my-ip‘) ? true : $allow;
}
add_filter(‚limit_login_whitelist_ip‘, ‚my_ip_whitelist‘, 10, 2);

Beachte, dass wir weiterhin wie üblich benachrichtigen und aufzeichnen. Das dient dazu, dir zu ermöglichen, auch jede verdächtige Aktivität über eine IP, die auf der weißen Liste steht, zu bemerken.

Ich habe mich beim Testen ausgesperrt, was soll ich jetzt machen?

Either wait, or:

Wenn du weißt, wie man PHP Dateien ergänzt oder bearbeitet, kannst du die IP Whitelist Funktionalität nutzen, die weiter oben beschrieben wurde. Dann solltest du den „Restore Lockouts“ Button auf der Plugin Einstellungs-Seite klicken und die Whitelist Funktion entfernen.

Wenn du einen ftp/ssh Zugriff auf die Website hast, benenne die Datei in „wp-content/plugins/limit-login-attempts/limit-login-attempts.php“ um, um das plugin zu deaktivieren.

Wenn du Zugriff auf eine Datenbank (beispielsweise über phpMyAdmin) hast, kannst du die „limit_login_lockouts“ Option zurücksetzen. In einem Standard Setup würde das wie folgt funtionieren: „Update wp_options SET option_value= „Where option_name = ‚limit_login_lockouts'“

Rezensionen

God Awful Plugin

brightvesseldev 2. Oktober 2019
The client had this installed and he was always getting locked out and never could get back in. No way to whitelist admins and a complete waste of time.

Awesome

naimansari 20. September 2019
Awesome Plugin

It still works great!

Adam Faryna 24. Juni 2019
well done

After 7 years of no updates… still working well!

david76oliver 4. Dezember 2018
I don't know how and why, but this plugin still works really well.

Still works, and it still works well. (WP Version 4.9.8)

MrsJessicaSimpson 10. Oktober 2018
This plugin was provided by my host provider when I signed up with THOSTS in December 2017. Was considering deleting it, but, .. this is from it's log as of today 10/10/2018 IP Tried to log in as 91.200.12.28 pigsoft.net (4 lockouts), b92.co.uk (2 lockouts) 91.200.12.65 admin (1 lockout), b92.co.uk (1 lockout) 91.200.12.104 pigsoft.net (1 lockout) 91.200.12.157 b92.co.uk (2 lockouts) 27.151.92.51 dyandoss27289 (1 lockout) 86.49.188.134 admin (1 lockout) 146.185.223.160 admin (1 lockout) 211.245.31.111 michellz047609 (1 lockout) 170.238.36.26 admin (1 lockout) 91.200.12.56 b92.co.uk (4 lockouts) 185.63.254.15 admin (1 lockout) 91.200.12.35 b92.co.uk (5 lockouts), pigsoft.net (1 lockout) And so the list goes on, and one, and on, and on, .. China, Ukraine, France and the good old US of A to name just a few of the look up IPs I could be bothered to do. Script Jockies all of them, but they're not using brute force attacks: especially from reading some of the login (name) attacks that the web boys are using. Later on in that list, are some of the people I've mentioned in my posts: who aren't board members. Conclusion: This Plugin is worth it's weight in gold. Thanks for reading, Jessica: Praise be the ORI.

Best plugin I have ever installed

albusaidys 22. Juli 2018
I have always installed this plugin on all WP websites that I create or manage. Nothing significant seems to have happened. However lately I have been monitoring one of my websites and noticed heightened attempts to log in without my permission. I lowered the number of attempts to 2 and increased lockout periods. I have also turned option to get notifications every time login fails and login IP attempts get locked out. I couldn't be happier. This has worked as the best protection from hacks, protection to lock out intruder IP's etc. So far over 450 failed attempts and over 250 permanently locked out IP's Thank you for the protection
Lies alle 197 Rezensionen

Mitwirkende & Entwickler

„Limit Login Attempts“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:

Mitwirkende
  • johanee

„Limit Login Attempts“ wurde in 30 Sprachen übersetzt. Danke an die Übersetzerinnen und Übersetzer für ihre Mitwirkung.

Übersetze „Limit Login Attempts“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.

Änderungsprotokoll

1.7.1

This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.

„Auth cookies“ are special cookies set at login that authenticating you to the system. It is how WordPress „remembers“ that you are logged in between page loads.

During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.

Lockout of normal password login attempts still worked as it should, and it appears that all „auth cookie“ attempts would keep getting logged.

In theory the „auth cookie“ is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.

1.7.0

  • Added filter that allows whitelisting IP. Please use with care!!
  • Update to Spanish translation, thanks to Marcelo Pedra
  • Aktualisierte schwedische Übersetzung
  • Getestet mit WordPress 3.3.2

1.6.2

  • Fix bug where log would not get updated after it had been cleared
  • Do plugin setup in ‚init‘ action
  • Small update to Spanish translation file, thanks to Marcelo Pedra
  • Tested against WordPress 3.2.1

1.6.1

  • (WordPress 3.0+) An invalid cookie can sometimes get sent multiple times before it gets cleared, resulting in multiple failed attempts or even a lockout from a single invalid cookie. Store the latest failed cookie to make sure we only count it as one failed attempt
  • Define „Text Domain“ correctly
  • Include correct Dutch tranlation file. Thanks to Martin1 for noticing. Thanks again to Bjorn Wijers for the translation
  • Updated POT file for this version
  • Tested against WordPress 3.1-RC4

1.6.0

  • Happy New Year
  • Tested against WordPress 3.1-RC1
  • Plugin now requires WordPress version 2.8+. Of course you should never ever use anything but the latest version
  • Fixed deprecation warnings that had been piling up with the old version requirement. Thanks to Johannes Ruthenberg for the report that prompted this
  • Removed auth cookie admin check for version 2.7.
  • Make sure relevant values in $_COOKIE get cleared right away on auth cookie validation failure. There are still some problems with cookie auth handling. The lockout can trigger prematurely in rare cases, but fixing it is plugin version 2 stuff unfortunately.
  • Changed default time for retries to reset from 24 hours to 12 hours. The security impact is very minor and it means the warning will disappear „overnight“
  • Added question to FAQ („Why not reset failed attempts on a successful login?“)
  • Updated screenshots

1.5.2

  • Reverted minor cookie-handling cleanup which might somehow be responsible for recently reported cookie related lockouts
  • Added version 1.x Brazilian Portuguese translation, thanks to Luciano Passuello
  • Added Finnish translation, thanks to Ari Kontiainen

1.5.1

  • Further multisite & WPMU support (again thanks to erik@erikshosting.com)
  • Better error handling if option variables are damaged
  • Added Traditional Chinese translation, thanks to Denny Huang bigexplorations@bigexplorations.com.tw

1.5

  • Tested against WordPress 3.0
  • Handle 3.0 login page failure „shake“
  • Basic multisite support (parts thanks to erik@erikshosting.com)
  • Added Dutch translation, thanks to Bjorn Wijers burobjorn@burobjorn.nl
  • Added Hungarian translation, thanks to Bálint Vereskuti balint@vereskuti.info
  • Added French translation, thanks to oVa ova13lastar@gmail.com

1.4.1

  • Added Turkish translation, thanks to Yazan Canarkadas

1.4

  • Protect admin page update using wp_nonce
  • Added Czech translation, thanks to Jakub Jedelsky

1.3.2

  • Added Bulgarian translation, thanks to Hristo Chakarov
  • Added Norwegian translation, thanks to Rune Gulbrandsøy
  • Added Spanish translation, thanks to Marcelo Pedra
  • Added Persian translation, thanks to Mostafa Soufi
  • Added Russian translation, thanks to Jack Leonid (http://studio-xl.com)

1.3.1

  • Added Catalan translation, thanks to Robert Buj
  • Added Romanian translation, thanks to Robert Tudor

1.3

  • Support for getting the correct IP for clients while server is behind reverse proxy, thanks to Michael Skerwiderski
  • Added German translation, thanks to Michael Skerwiderski

1.2

  • No longer replaces pluggable function when cookie handling active. Re-implemented using available actions and filters
  • Filter error messages during login to avoid information leak regarding available usernames
  • Do not show retries or lockout messages except for login (registration, lost password pages). No change in actual enforcement
  • Slightly more aggressive in trimming old retries data

1.1

  • Added translation support
  • Added Swedish translation
  • During lockout, filter out all other login errors
  • Kleinere Aufräumarbeiten

1.0

  • Erstversion

Meta

  • Version: 1.7.1
  • Zuletzt aktualisiert: vor 8 Jahren
  • Aktive Installationen: 1+ Millionen
  • WordPress-Version: 2.8 oder höher
  • Getestet bis: 3.3.2
  • Sprachen:

    Bulgarian, Catalan, Chinese (Taiwan), Croatian, Czech, Danish, Dutch, English (Australia), English (Canada), English (New Zealand), English (UK), English (US), Finnish, French (Canada), French (France), Galician, German, Hebrew, Hungarian, Italian, Japanese, Lithuanian, Norwegian (Bokmål), Portuguese (Brazil), Romanian, Russian, Slovak, Spanish (Spain), Spanish (Venezuela), Swedish, und Ukrainian.

    Übersetze in deine Sprache

  • Schlagwörter:
    authenticationloginsecurity
  • Erweiterte Ansicht

Bewertungen

Alle anzeigen
  • 5 Sterne 166
  • 4 Sterne 11
  • 3 Sterne 3
  • 2 Sterne 4
  • 1 Stern 13

Mitwirkende

  • johanee

Support

Behobene Probleme in den letzten zwei Monaten:

0 von 1

Supportforum anzeigen

  • Über
  • Blog
  • Hosting
  • Spenden
  • Support
  • Entwicklung
  • Mitmachen
  • Showcase
  • Plugins
  • Themes
  • WordCamp
  • WordPress.TV
  • BuddyPress
  • bbPress
  • WordPress.com
  • Matt
  • Datenschutz
  • Public Code
  • @WordPress
  • WordPress

Code ist Poesie.

Zur Werkzeugleiste springen
  • Über WordPress
    • Über WordPress
    • WordPress.org
    • Dokumentation
    • Support
    • Feedback
  • Anmelden
  • Registrieren