Description
Out of the box, WordPress allows unlimited attempts to log in. This opens up opportunities for attackers to crack passwords simply by trying over and over again. This kind of attack is called brute-force, and Protect Login mitigates this by slowing down the login after a series of subsequent failed attempts.
But we did not stop there. We’re also working on ways to improve the security of your WordPress passwords. Currently, we do this by allowing you to enforce a password policy to make sure your users don’t use weak passwords for their accounts.
Installation
- Upload the plugin files to the
/wp-content/plugins/protect-login
directory, or install the plugin through the WordPress plugins screen directly. - Activate the plugin through the ‘Plugins’ screen in WordPress.
- The default settings will be applied automatically. To change them, navigate to Settings > Protect Login
FAQ
-
Who are you folks?
-
We’re part of group.one, a group of European hosting companies. We’re here to help you succeed online.
-
Why did you build this plugin?
-
We care about WordPress and keeping WordPress sites secure. So we decided it was time to take the code of the original Limit Login Attempts plugin and build on top of it.
We did this for you. Protect Login is 100% free and will not bother you with nasty upsells or scare marketing. You have better things to do, don’t you? -
Why not reset failed attempts on a successful login?
-
This is very much by design. Otherwise, you could simply brute force the “admin” password by logging in as your own user every 4th attempt.
-
How do I know if my site is behind a reverse proxy?
-
If you’re not sure about this, chances are your site is not behind a reverse proxy. However, Protect Login’s settings offer an option to activate proxy mode.
A reverse proxy is a server between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated. -
Can I put my IP on an allowlist to avoid getting locked out?
-
Yes, there is an allowlist tab in Protect Login’s settings.
-
I locked myself out while testing this plugin; what do I do?
-
Either wait until your account/IP is unblocked, or if you have FTP or SSH access to the site, rename it “wp-content/plugins/protect-login” to deactivate the plugin.
-
Do you support IPv6 addresses?
-
Yes, if the webserver passes an IPv6 address to your WordPress installation, the plugin has no problems to handle IPv6 from 1.2.0.
Reviews
Contributors & Developers
“Protect Login” is open source software. The following people have contributed to this plugin.
Contributors“Protect Login” has been translated into 1 locale. Thank you to the translators for their contributions.
Translate “Protect Login” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.4.2
- Removed “Your IP address” on blocklist tab
- Added headlines on allowlist, blocklist and blocked ip addresses
- Removed .github dir
1.4.1
- Bugfix: Fixed issue that prevented “Add own ip address to allowlist” from working
- Auto re-create WP sessions on activating plugin
- Bugfix: Fixed issue on creating session cookie on multisite
1.4.0
- Automatically clean up the locked-out list a week after IP addresses have been cleared
- Improve the design of empty IP lists
- Add own IP v6 / IPv6 – Address to allowlist
- Check for blocked IP on XML-RPC
- Bugfix: Fixed issues that prevented the plugin from discovering that it runs on a multisite
- Bugfix: Compatibility fixes to PHP 7.4
- Bugfix: Removed ending slashes from Rest API namespaces
1.3.1
- Bugfix: Improved error handling if non-numeric value is stored in wp_options
- Cleanup: Removed leading whitespace in translation file for widget
- Bugfix: Settings visible on multisite if name of the plugin directory is not “protect-login”
- Bugfix: An error occurred on WP multisites with enabled WP_DEBUG, because of too early load of translation files
- Moved “settings” sections to admin_init – action
- WP 6.7 compatibility
1.3.0
- Count of currently locked-out address visible in “At a glance” Widget
- Fixed bug on activation plugin through wp-cli in a multisite environment
- Remote API support
- Improved multisite support
1.2.0
- IPv6 support
- Endpoints for WP-CLI
- Added filter for password strength
- “Settings” link in plugin overview
- Bugfix: string “password too short” erroneous appeared in Quick Draft widget, removed.
1.1.1
- Removed unused strings
- Added translator comments
- Restructured some strings for easier translations
1.1.0
- Tested with WordPress 6.6
- Added Multisite Support
- Added filters to set protection levels programmatically
- Fixed issue with timestamps always using UTC
1.0.1
- Fixed minor bugs
1.0
- Initial version
- based on Limit Login Attempts 1.7.1 by Johan Eenfeldt