Login Security Solution

A simple way to lock down login security for multisite and regular
WordPress installations.

• Blocks brute force and dictionary attacks without inconveniencing
  legitimate users or administrators

  • Tracks IP addresses, usernames, and passwords
  • Monitors logins made by form submissions, XML-RPC requests and
    auth cookies
  • If a login failure uses data matching a past failure, the plugin
    slows down response times. The more failures, the longer the delay.
    This limits attackers ability to effectively probe your site,
    so they’ll give up and go find an easier target.
  • If an account seems breached, the “user” is immediately logged out
    and forced to use WordPress’ password reset utility. This prevents
    any damage from being done and verifies the user’s identity. But
    if the user is coming in from an IP address they have used in the
    past, an email is sent to the user making sure it was them logging in.
    All without intervention by an administrator.
  • Can notify the administrator of attacks and breaches
  • Supports IPv6

• Thoroughly examines and enforces password strength. Includes full
  UTF-8 character set support if PHP’s mbstring extension is enabled.
  The tests have caught every password dictionary entry I’ve tried.

  • Minimum length (customizable)
  • Doesn’t match blog info
  • Doesn’t match user data
  • Must either have numbers, punctuation, upper and lower case characters
    or be very long. Note: alphabets with only one case (e.g. Arabic,
    Hebrew, etc.) are automatically exempted from the upper/lower case
    requirement.
  • Non-sequential codepoints
  • Non-sequential keystrokes (custom sequence files can be added)
  • Not in the password dictionary files you’ve provided (if any)
  • Decodes “leet” speak
  • The password/phrase is not found by the dict dictionary
    program (if available)

• Blocks discovering user names via the “?author=” query string

• Password aging (optional) (not recommended)

  • Users need to change password every x days (customizable)
  • Grace period for picking a new password (customizable)
  • Remembers old passwords (quantity is customizable)

• Administrators can require all users to change their passwords

  • Done via a flag in each user’s database entry
  • No mail is sent, keeping your server off of spam lists

• Logs out idle sessions (optional) (idle time is customizable)

• Maintenance mode (optional)

  • Publicly viewable content remains visible
  • Disables logins by all users, except administrators
  • Logs out existing sessions, except administrators
  • Disables posting of comments
  • Useful for maintenance or emergency reasons
  • This is separate from WordPress’ maintenance mode

• Prevents information disclosures from failed logins

Improvements Over Similar WordPress Plugins

• Multisite network support
• Monitors authentication cookies for bad user names and hashes
• Tracks logins from XML-RPC requests
• Adjusts WordPress’ password policy user interfaces
• Takes security seriously so the plugin itself does not open your site
  to SQL, HTML, or header injection vulnerabilities
• Notice-free code means no information disclosures if display_errors
  is on and error_reporting includes E_NOTICE
• Only loads files, actions, and filters needed for enabled options
  and the page’s context
• Provides an option to have deactivation remove all of this plugin’s
  data from the database
• Uses WordPress’ features rather than fighting or overriding them
• No advertising, promotions, or beacons
• Proper internationalization support
• Clean, documented code
• Unit tests covering 100% of the main class
• Internationalized unit tests

For reference, the similar plugins include:

• 6Scan Security
• Better WP Security
• Enforce Strong Password
• Force Strong Passwords
• Limit Login Attempts
• Login Lock
• Login LockDown
• PMC Lockdown
• Simple Login Lockdown
• Wordfence Security
• WP Login Security
• WP Login Security 2

Compatibility with Other Plugins

Some plugins provide similar functionality. These overlaps can lead to
conflicts during program execution. Please read the FAQ!

Translations

• Deutsche, Deutschland (German, Germany) (de_DE) by Christian Foellmann
• Français, français (French, France) (fr_FR) by mermouy and and Fx Bénard
• Italiano, Italia (Italian, Italy) (it_IT) by Daniele Passalacqua
• 日本語, 日本国 (Japanese, Japan) (ja_JP) by motoyamayuki
• Nederlands, Nederland (Dutch, Netherlands) (nl_NL) by Friso van Wieringen
• polski, Polska (Polish, Poland) (pl_PL) by Michał Seweryniak miniol
• Português, Brasil (Portugese, Brazil) (pt_BR) by Valdir Trombini
• suomi, Suomi (Finnish, Finland) (fi_FI) by Juha Remes Newman101

Source Code, Bugs, and Feature Requests

Development of this plugin happens on
GitHub.
Please submit
bug and feature requests,
pull requests,
wiki entries
there.
Releases are then squashed and pushed to WordPress’
Plugins SVN repository.
This division is necessary due having being chastised that “the Plugins SVN
repository is a release system, not a development system.”

Old tickets are in the Plugins Trac.

Strong, Unique Passwords Are Important

Yeah, creating, storing/remembering, and using a different, strong
password for each site you use is a hassle. But it is absolutely
necessary.

Password lists get stolen on a regular basis from big name sites (like
Linkedin for example!). Criminals then have unlimited time to decode the
passwords. In general, 50% of those passwords are so weak they get figured
out in a matter of seconds. Plus there are computers on the Internet
dedicated to pounding the sites with login attempts, hoping to get lucky.

Many people use the same password for multiple sites. Once an attacker
figures out your password on one site, they’ll try it on your accounts at
other sites. It gets ugly very fast.

But don’t despair! There are good, free tools that make doing the right
thing a piece of cake. For example: KeePassX,
KeePass,
or 1Password

Securing Your WordPress Site is Important

You’re probably thinking “There’s nothing valuable on my website. No one
will bother breaking into it.” What you need to realize is that attackers
are going after your visitors. They put stealth code on your website
that pushes malware into your readers’ browsers.

According to SophosLabs more than 30,000 websites are infected
every day and 80% of those infected sites are legitimate.
Eighty-five percent of all malware, including viruses, worms,
spyware, adware and Trojans, comes from the web. Today,
drive-by downloads have become the top web threat.

— Security Threat Report 2012

So if your site does get cracked, not only do you waste hours cleaning up,
your reputation gets sullied, security software flags your site as dangerous,
and worst of all, you’ve inadvertently helped infect the computers of your
clients and friends. Oh, and if the attack involves malware, that malware
has probably gotten itself into your computer.

Actions

• login_security_solution_insert_fail
• login_security_solution_notify_breach
• login_security_solution_notify_fail
• login_security_solution_fail_tier_dos

Filters

The following filters allow customizing email subjects and messages. If
either the “subject”or “message” filters in a method returns an empty
string, the given method will skip calling wp_mail().

• login_security_solution_notify_breach_subject
• login_security_solution_notify_breach_message
• login_security_solution_notify_breach_user_subject
• login_security_solution_notify_breach_user_message
• login_security_solution_notify_fail_subject
• login_security_solution_notify_fail_message

Unit Tests

A thorough set of unit tests are found in the tests directory.

The plugin needs to be installed and activated before running the tests.

To execute the tests, cd into this plugin’s directory and
call phpunit tests

Translations can be tested by changing the WPLANG value in wp-config.php.

Please note that the tests make extensive use of database transactions.
Many tests will be skipped if your wp_options and wp_usermeta tables
are not using the InnoDB storage engine.

Removal

1. This plugin offers the ability to remove all of this plugin’s settings
   from your database. Go to WordPress’ “Plugins” admin interface and
   click the “Settings” link for this plugin. In the “Deactivate” entry,
   click the “Yes, delete the damn data” button and save the form.

2. Use WordPress’ “Plugins” admin interface to click the “Deactivate” link

3. Remove the login-security-solution directory from the server

In the event you didn’t pick the “Yes, delete the damn data” option or
you manually deleted the plugin, you can get rid of the settings by running
three queries. These queries are exapmles, using the default table name
prefix of, wp_. If you have changed your database prefix, adjust the
queries accordingly.

    DROP TABLE wp_login_security_solution_fail;

    DELETE FROM wp_options WHERE option_name LIKE 'login-security-solution%';

    DELETE FROM wp_usermeta WHERE meta_key LIKE 'login-security-solution%';= Inspiration and References =

• Password Research

  • Why passwords have never been weaker — and crackers have never been stronger, Dan Goodin
  • You can never have too many passwords: techniques for evaluating a huge corpus, Joseph Bonneau
  • Analyzing Password Strength, Martin Devillers
  • Consumer Password Worst Practices, Imperva
  • Preventing Brute Force Attacks on your Web Login, Bryan Rite
  • Password Strength, Randall Munroe

• Technical Info

  • The Extreme UTF-8 Table, infosnel.nl
  • A Recommendation for IPv6 Address Text Representation, Seiichi Kawamura and Masanobu Kawashima

• Password Lists

  • Dazzlepod Password List, Dazzlepod
  • Common Passwords, Fravia
  • The Top 500 Worst Passwords of All Time, Mark Burnett

To Do

• Provide a user interface to the fail table.