L
by Daniel Convissor
4.4 (54 reviews)
Login Security Solution
Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.
Tested up to WP 4.4.34 (Current: 6.9)
v0.56.0
Current Version v0.56.0
Updated 8 years ago
Last Update on 28 Nov, 2017
Synced 7 hours ago
Last Synced on
Rank
#3,469
-1 this week
Active Installs
4K+
—
No change
KW Avg Position
87.3
-0.7 better
Downloads
289.9K
+2 today
Support Resolved
0%
—
No change
Rating
88%
Review 4.4 out of 5
4.4
(54 reviews)
Next Milestone 5K
4K+
5K+
50
Ranks to Climb
-
Growth Needed
8,000,000
Active Installs
Pro
Unlock Exact Install Count
See the precise estimated active installs for this plugin, calculated from real-time ranking data.
- Exact install estimates within tiers
- Track install growth over time
- Milestone progress predictions
Need 121 more installs to reach 5K+
Rank Changes
Current
#3,469
Change
Best
#
Downloads Growth
Downloads
Growth
Peak
Upgrade to Pro
Unlock 30-day, 90-day, and yearly download history charts with a Pro subscription.
Upgrade NowReviews & Ratings
4.4
54 reviews
Overall
88%
5
40
(74%)
4
5
(9%)
3
1
(2%)
2
5
(9%)
1
3
(6%)
Tracked Keywords
Showing 3 of 3| Keyword | Position | Change | Type | Updated |
|---|---|---|---|---|
| strength | 33 | — | Tag | 7 hours ago |
| strong | 112 | — | Tag | 7 hours ago |
| passwords | 117 | — | Tag | 7 hours ago |
Unlock Keyword Analytics
Track keyword rankings, search positions, and discover new ranking opportunities with a Pro subscription.
- Full keyword position tracking
- Historical ranking data
- Competitor keyword analysis
Track This Plugin
Get detailed analytics, keyword tracking, and position alerts delivered to your inbox.
Start Tracking FreePlugin Details
- Version
- 0.56.0
- Last Updated
- Nov 28, 2017
- Requires WP
- 3.3+
- Tested Up To
- 4.4.34
- PHP Version
- N/A
- Author
- Daniel Convissor
Support & Rating
- Rating
- ★ ★ ★ ★ ☆ 4.4
- Reviews
- 54
- Support Threads
- 0
- Resolved
- 0%
Keywords
Upgrade to Pro
Unlock keyword rankings, search positions, and detailed analytics with a Pro subscription.
Upgrade NowSimilar Plugins
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer
7K+ installs
#2,736
Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations
40K+ installs
#929
Anti-Malware Security and Brute-Force Firewall
100K+ installs
#295
WPS Limit Login
100K+ installs
#309
reCaptcha by BestWebSoft
100K+ installs
#316
Frequently Asked Questions
Common questions about Login Security Solution
site: https://wordpress.org/plugins/login-security-solution/ Unzip the file. Our existing tests are very effective, catching all of the 2 million entries in the Dazzlepod password list. But if you need to block specific passwords that my tests miss, this plugin offers the ability to provide your own dictionary files. Add a file to the pw_dictionaries directory and place those passwords in it. One password per line. Please be aware that checking the password files is computationally expensive. The following script runs through each of the password files and weeds out passwords caught by the other tests: php utilities/reduce-dictionary-files.php If your website has a large number of non-English-speaking users: See if a keyboard sequence file exists in this plugin's pw_sequences directory for your target languages. The following steps
direction of the motions indicated.) Open a text editor and create a file in the pw_sequences directory Hold down the shift key Press the top left character key of the keyboard. NOTE: during this entire process, do not press function, control or whitespace keys (like tab, enter, delete, arrows, space, etc). Work your way across the top row, pressing each key across the row, one by one Press the left-most character key in the second row Go across the second row pressing each key Continue through the entire keyboard in the same manner Let go of the shift key Re-start the process at the top left key of the keyboard and work your way through the keyboard, now in lower-case mode Save the file and close the editor Feel free to submit the files to me so others can use it. See the features request section, below. If a translation file for your language does not exist in this plugin's languages directory, add one. Read http://codex.wordpress.org/I18n_for_WordPress_Developers for details. The files must use UTF-8 encoding. Send me the file and I'll include it in future releases. See the features request section, below. The last step of the new password validation process is checking if the password matches an entry in the dict program. See if dict
http://en.wikipedia.org/wiki/Dict Upload the login-security-solution directory to your server's /wp-content/plugins/ directory Activate the plugin using WordPress' admin interface: Regular sites: Plugins Sites using multisite networks: My Sites | Network Admin | Plugins Adjust the settings as desired. This plugin's settings page can be reached via a sub-menu entry under WordPress' "Settings" menu or this plugin's entry on WordPress' "Plugins" page. Sites using WordPress' multisite network capability will find the "Settings" and "Plugin" menus under "My Sites | Network Admin". Run the "Change All Passwords" process. This is necessary to ensure all of your users have strong passwords. The user interface for
WordPress' "Plugins" page. Ensure your password strength by changing it. Hooks Login Security Solution provides hooks in critical methods, allowing you to add custom behaviors. Compatibility with Other Plugins Better WP Security: Their "Enable Login Limits" and "Enable strong password enforcement" functionality conflict with our features. The good news is we provide more robust protection in those areas and the Better WP Security "Settings" page lets you disable those features in their plugin. This way you get to enjoy even better security than either plugin alone.
The WordPress installation process (currently) defaults to having the main administrator's user's name be "admin." Many people don't change it. Attackers know this, so now all they need to do to get into such sites is guess the password. In addition, if you try to log in while your site is being attacked, this plugin will send you through the password reset process in order to verify your identity. While not the end of the world, it's inconvenient.
A link to the page is found in this plugin's entry in the "Plugins" admin interface: Regular sites: Plugins Sites using multisite networks: My Sites | Network Admin | Plugins
Let's turn the question around: "How long did it take to get in those 500 hits?" Chances are it took hours. (Six hours if they're attacking with one thread, 2 hours if they're coming at you with three threads, etc.) If this plugin wasn't working, they'd have pulled it off under a minute. Similarly, without the slowed responses this plugin provides, an attacker given six hours against your site could probably get in over 170,000 hits. Anyway, my real question for you is "Did they get in?" I'll bet not. The strong passwords this plugin requires from your users lowers the chances of someone breaking in to just about zero. And even if they do get lucky and figure out a password, Login Security Solution realizes they're miscreants and kicks them out.
If you look at it the right way, Login Security Solution provides lockouts (where "lockout" means "denies access" to attackers.) Below is a comparison of the attack handling logic used by Limit Login Attempts and Login Security Solution. Limit Login Attempts Invalid or Valid Credentials by Attacker or Actual User Process authentication request (check IP address) Error message: "Too many failed login attempts." (ACCESS DENIED.) Note, this approach means an actual user can be denied access for 12 hours after making 4 mistakes. Login Security Solution Invalid Credentials by Attacker or Actual User Process authentication request (check IP, user name, and password) Slow down the response Error message: "Incorrect username or password." (ACCESS DENIED.) Valid Credentials by Attacker Process authentication request (check IP, user name, and password) Slow down the response Set force password change flag for user Error message: "Your password must be reset. Please submit this form to reset it." (ACCESS DENIED.) Valid Credentials by Actual User Process authentication request (check IP, user name, and password) (If user is coming from their verified IP address, let them in, END) Slow down the response Error message: "Your password must be reset. Please submit this form to reset it." (ACCESS DENIED.) On subsequent request... user verifies their identity via password reset process User's IP address is added to their verified IP list for future reference So both plugins deny access to attackers. But Login Security Solution has the bonuses of letting legitimate users log in and slowing the attacks down. Plus LSS monitors user names, passwords, and IP's for attacks, while all of the other plugins just watch the IP address.
Yeah, the DOS potential is there. I mitigated it for the most part by disconnecting the database link (the most precious resource in most situations) before sleeping. But remember, distributed denial of service attacks are fairly easy to initiate these days. If someone really wants to shut down your site, they'll be able to do it without even touching this plugin's login failure process.
Development of this plugin happens on GitHub. Please submit bug and feature requests, pull requests, wiki entries on our GitHub. Information for Translators