Beschreibung
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Funktionen
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lockout time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
- It is possible to whitelist IPs using a filter. But you probably shouldn’t. 🙂
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
Screenshots
Loginscreen after failed login with retries remaining 
Loginscreen during lockout 
Administration interface in WordPress 3.0.4
Installation
- Lade die Plugin-Dateien herunter und entpacke sie in das wp-content/plugin Verzeichnis.
- Aktiviere das Plugin über das WordPress-Admin-Interface.
- Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
If you have any questions or problems please make a post here: https://wordpress.org/tags/limit-login-attempts
FAQ
- Installation Instructions
-
- Lade die Plugin-Dateien herunter und entpacke sie in das wp-content/plugin Verzeichnis.
- Aktiviere das Plugin über das WordPress-Admin-Interface.
- Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
If you have any questions or problems please make a post here: https://wordpress.org/tags/limit-login-attempts
- Why not reset failed attempts on a successful login?
-
Dies ist absichtlich so konzipiert. Sonst könnte man das Administratoren Passwort durch Ausprobieren herausfinden, indem du dich bei jedem 4. Anmeldeversuch mit deinem eigenen Account anmeldest.
- What is this option about site connection and reverse proxy?
-
Ein Revers-Proxy ist ein Server zwischen der Website und dem Internet (der möglicherweise das Caching oder Load-balancing übernimmt). Das macht es etwas schwieriger, die richtige Client IP zu ermitteln, die blockiert werde soll.
Die Standard Option, dass du dich nicht hinter einem Proxy befindest – was bei Weitem am häufigsten vorkommen sollte.
- Woher weiß ich, dass sich meine Website hinter einem Reverse-Proxy befindet?
-
Wahrscheinlich wirst du das nicht tun, oder aber du kennst dich wirklich gut aus. Die Options Seite liefert eine gute erste Einschätzung. Setze die Option, indem du diese nutzt, außer du bist dir sicher, dass du es besser weißt.
- Kann ich meine IP auf die Whitelist setzen, damit ich nicht ausgesperrt werde?
-
Zuallererst eine Bitte: Ãœberlege, ob du das wirklich brauchst. Allgemein gesagt ist es keine gute Idee, Ausnahmen in deinen Sicherheits-Richtlinien zuzulassen.
Dies vorausgeschickt, gibt es jetzt also einen Filter, der es dir ermöglicht und zwar: „limit_login_whitelist_ip“
Example:
function my_ip_whitelist($allow, $ip) {
return ($ip == ‚my-ip‘) ? true : $allow;
}
add_filter(‚limit_login_whitelist_ip‘, ‚my_ip_whitelist‘, 10, 2);Beachte, dass wir weiterhin wie üblich benachrichtigen und aufzeichnen. Das dient dazu, dir zu ermöglichen, auch jede verdächtige Aktivität über eine IP, die auf der weißen Liste steht, zu bemerken.
- Ich habe mich beim Testen ausgesperrt, was soll ich jetzt machen?
-
Either wait, or:
Wenn du weißt, wie man PHP Dateien ergänzt oder bearbeitet, kannst du die IP Whitelist Funktionalität nutzen, die weiter oben beschrieben wurde. Dann solltest du den „Restore Lockouts“ Button auf der Plugin Einstellungs-Seite klicken und die Whitelist Funktion entfernen.
Wenn du einen ftp/ssh Zugriff auf die Website hast, benenne die Datei in „wp-content/plugins/limit-login-attempts/limit-login-attempts.php“ um, um das plugin zu deaktivieren.
Wenn du Zugriff auf eine Datenbank (beispielsweise über phpMyAdmin) hast, kannst du die „limit_login_lockouts“ Option zurücksetzen. In einem Standard Setup würde das wie folgt funtionieren: „Update wp_options SET option_value= „Where option_name = ‚limit_login_lockouts'“
Rezensionen
After 7 years of no updates… still working well!
I don’t know how and why, but this plugin still works really well.
Still works, and it still works well. (WP Version 4.9.8)
This plugin was provided by my host provider when I signed up with THOSTS in December 2017.
Was considering deleting it, but, .. this is from it’s log as of today 10/10/2018
IP Tried to log in as
91.200.12.28 pigsoft.net (4 lockouts), b92.co.uk (2 lockouts)
91.200.12.65 admin (1 lockout), b92.co.uk (1 lockout)
91.200.12.104 pigsoft.net (1 lockout)
91.200.12.157 b92.co.uk (2 lockouts)
27.151.92.51 dyandoss27289 (1 lockout)
86.49.188.134 admin (1 lockout)
146.185.223.160 admin (1 lockout)
211.245.31.111 michellz047609 (1 lockout)
170.238.36.26 admin (1 lockout)
91.200.12.56 b92.co.uk (4 lockouts)
185.63.254.15 admin (1 lockout)
91.200.12.35 b92.co.uk (5 lockouts), pigsoft.net (1 lockout)
And so the list goes on, and one, and on, and on, ..
China, Ukraine, France and the good old US of A to name just a few of the look up IPs I could be bothered to do. Script Jockies all of them, but they’re not using brute force attacks: especially from reading some of the login (name) attacks that the web boys are using. Later on in that list, are some of the people I’ve mentioned in my posts: who aren’t board members.
Conclusion: This Plugin is worth it’s weight in gold.
Thanks for reading, Jessica: Praise be the ORI.
Doesn’t work
Doesn’t work
Best plugin I have ever installed
I have always installed this plugin on all WP websites that I create or manage. Nothing significant seems to have happened.
However lately I have been monitoring one of my websites and noticed heightened attempts to log in without my permission.
I lowered the number of attempts to 2 and increased lockout periods.
I have also turned option to get notifications every time login fails and login IP attempts get locked out.
I couldn’t be happier.
This has worked as the best protection from hacks, protection to lock out intruder IP’s etc.
So far over 450 failed attempts and over 250 permanently locked out IP’s
Thank you for the protection
bad role
bad role
nice plugin
nice plugin
Mitwirkende & Entwickler
„Limit Login Attempts“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:
Mitwirkende
„Limit Login Attempts“ wurde in 25 Sprachen übersetzt. Danke an die Ãœbersetzerinnen und Ãœbersetzer für ihre Mitwirkung.
Ãœbersetze „Limit Login Attempts“ in deine Sprache.
Interessiert an der Entwicklung?
Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.
Änderungsprotokoll
1.7.1
This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.
„Auth cookies“ are special cookies set at login that authenticating you to the system. It is how WordPress „remembers“ that you are logged in between page loads.
During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.
Lockout of normal password login attempts still worked as it should, and it appears that all „auth cookie“ attempts would keep getting logged.
In theory the „auth cookie“ is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.
1.7.0
- Added filter that allows whitelisting IP. Please use with care!!
- Update to Spanish translation, thanks to Marcelo Pedra
- Aktualisierte schwedische Ãœbersetzung
- Getestet mit WordPress 3.3.2
1.6.2
- Fix bug where log would not get updated after it had been cleared
- Do plugin setup in ‚init‘ action
- Small update to Spanish translation file, thanks to Marcelo Pedra
- Tested against WordPress 3.2.1
1.6.1
- (WordPress 3.0+) An invalid cookie can sometimes get sent multiple times before it gets cleared, resulting in multiple failed attempts or even a lockout from a single invalid cookie. Store the latest failed cookie to make sure we only count it as one failed attempt
- Define „Text Domain“ correctly
- Include correct Dutch tranlation file. Thanks to Martin1 for noticing. Thanks again to Bjorn Wijers for the translation
- Updated POT file for this version
- Tested against WordPress 3.1-RC4
1.6.0
- Happy New Year
- Tested against WordPress 3.1-RC1
- Plugin now requires WordPress version 2.8+. Of course you should never ever use anything but the latest version
- Fixed deprecation warnings that had been piling up with the old version requirement. Thanks to Johannes Ruthenberg for the report that prompted this
- Removed auth cookie admin check for version 2.7.
- Make sure relevant values in $_COOKIE get cleared right away on auth cookie validation failure. There are still some problems with cookie auth handling. The lockout can trigger prematurely in rare cases, but fixing it is plugin version 2 stuff unfortunately.
- Changed default time for retries to reset from 24 hours to 12 hours. The security impact is very minor and it means the warning will disappear „overnight“
- Added question to FAQ („Why not reset failed attempts on a successful login?“)
- Updated screenshots
1.5.2
- Reverted minor cookie-handling cleanup which might somehow be responsible for recently reported cookie related lockouts
- Added version 1.x Brazilian Portuguese translation, thanks to Luciano Passuello
- Added Finnish translation, thanks to Ari Kontiainen
1.5.1
- Further multisite & WPMU support (again thanks to erik@erikshosting.com)
- Better error handling if option variables are damaged
- Added Traditional Chinese translation, thanks to Denny Huang bigexplorations@bigexplorations.com.tw
1.5
- Tested against WordPress 3.0
- Handle 3.0 login page failure „shake“
- Basic multisite support (parts thanks to erik@erikshosting.com)
- Added Dutch translation, thanks to Bjorn Wijers burobjorn@burobjorn.nl
- Added Hungarian translation, thanks to Bálint Vereskuti balint@vereskuti.info
- Added French translation, thanks to oVa ova13lastar@gmail.com
1.4.1
- Added Turkish translation, thanks to Yazan Canarkadas
1.4
- Protect admin page update using wp_nonce
- Added Czech translation, thanks to Jakub Jedelsky
1.3.2
- Added Bulgarian translation, thanks to Hristo Chakarov
- Added Norwegian translation, thanks to Rune Gulbrandsøy
- Added Spanish translation, thanks to Marcelo Pedra
- Added Persian translation, thanks to Mostafa Soufi
- Added Russian translation, thanks to Jack Leonid (http://studio-xl.com)
1.3.1
- Added Catalan translation, thanks to Robert Buj
- Added Romanian translation, thanks to Robert Tudor
1.3
- Support for getting the correct IP for clients while server is behind reverse proxy, thanks to Michael Skerwiderski
- Added German translation, thanks to Michael Skerwiderski
1.2
- No longer replaces pluggable function when cookie handling active. Re-implemented using available actions and filters
- Filter error messages during login to avoid information leak regarding available usernames
- Do not show retries or lockout messages except for login (registration, lost password pages). No change in actual enforcement
- Slightly more aggressive in trimming old retries data
1.1
- Added translation support
- Added Swedish translation
- During lockout, filter out all other login errors
- Kleinere Aufräumarbeiten
1.0
- Erstversion