Plugin Login LockDown setup and description. Plugin Login LockDown configuration and description Installation and configuration of the login lockdown plugin

I welcome you to mine!
How are websites hacked? The easiest and fastest way to hack is to select a username and password in the admin panel. Most owners of Internet resources leave the default administrator login, which greatly simplifies the task for hackers - they just have to guess the password. If you have not done this before, then I strongly recommend that you change the default value of "admin" to a unique login. You can change your login and password to access the site control panel in the "Users" section of the admin panel or through your blog's database.

It will not be superfluous to mention that the password must be strong - consisting of 8 or more characters. What is the best password for your account, you can find out by reading this. So you complicate the task of hackers.

Another great tool for protecting the Wordpres control panel from the use of password guessing programs by intruders is login lockdown plugin.

Plugin action Login LockDown.

This plugin works in the following way. It monitors unsuccessful attempts to log into the control panel of an Internet resource and captures the IP address and the exact time.

If several unsuccessful attempts from this address are recorded within a certain time, the plugin will block this user for the time specified in the settings.
An error message will be displayed on the screen, and the cracker will lose all chances of guessing the password.

Installing Login LockDown on the site.

How to install plugins in WordPress, I have already described in this.
Installing the Login LockDown plugin is not much different from installing other similar tools.
You need to go to the site admin panel, select the "Plugins" panel and click the "Add New" button.

After that, a standard window for adding tools will open, in which you can find the plugin by keywords or use the download of files from your PC if you downloaded it earlier.
Next, you need to confirm the installation of the tool and activate it.

Configuring Login LockDown.

In order to customize the protection for your needs, you need to go to the plugin settings.
To do this, select the "Options" menu and find the security plugin in it.

A window with tool settings will open in front of you.

Description of Login LockDown plugin settings.

Max Login Retries - responsible for the maximum possible number of unsuccessful attempts before the lock is triggered;
Retry Time Period Restriction - the period of time for which the entry of an incorrect password to the admin panel is taken into account. Here, the more time to put, the safer it will be;
Lockout Length - the time for which a suspicious IP address will be blocked;
Lockout Invalid Usernames – this item checks if the user's login is entered correctly.
That is, if you do not activate it, then the login can be selected as many times as you like. And the login to the account will not be blocked, provided that the correct password is entered. It is better to activate it, this increases the reliability of the blog;
Mask Login Errors - masks a data entry error on the attacker's screen.
If it is not activated, then a hint will be displayed on the screen, what exactly you entered incorrectly, login or password.

It is better to enable this feature.

So the villain will not understand that he entered the wrong password or login;

Currently Locked Out - a list of blocked IPs and the time remaining until access is unblocked.

Here you can unblock any IP address.
After making all the necessary changes, click the "Update Settings" button for them to take effect.
Now access to the site's control panel will be protected by the plugin and hackers will not be able to use programs to guess passwords.

WordPress is the most popular content management system today. And it is clear why: ease of use and configuration, many plugins, free. But at the same time, a lot of attention from the attackers. Sites on Wordptess are very often the target for attacks. The reasons for hacking a site are different, more precisely, the reason is the same - money, approaches are different. One of the ways to hack a site, including on WordPress, is brute force or in Russian - the brute force method (brute force - brute force) - this is when they try to access the site by selecting a username and password.

All WordPress users know that the entrance to the site admin panel is located at site.com/wp-login.php or site.com/wp-admin, from which you will be transferred to the first one anyway. The attackers know about it too. Therefore, if you are irresponsible in protecting the admin panel, then the likelihood of your site being hacked increases significantly. How can you prevent those who do not need to get into the admin panel?

The first, and the most banal, but no less important, is choosing a strong password and changing the standard login.

The second is the installation of special plugins to protect the admin panel.

The third is setting up rcdirects and manually editing WordPress files.

And also, now most hosting, for its part, offers protection for the admin panel.

In this article, I want to talk about the Login Lockdown plugin, which will help protect the admin panel of your WordPress site from password guessing.

What is the principle of the plugin? When someone tries to get into your admin panel and incorrectly enters data, login or password, a certain number of times in a certain period of time - Login LockDown blocks the IP address from which access was attempted for a certain amount of time.

Plugin Installation

You can install the plugin through the built-in WordPress manager. To do this, in the control panel, go to Plugins->Add New.

Enter the name of the plugin in the search field.

Select the plugin from the search results and click install.

After installing Login LockDown, you need to immediately activate it.

Now you can move on to setting up the extension.

Go to Settings->Login LockDown

There are not many settings for the plugin. Let's go through them briefly.

Max Login Retries- the maximum number of attempts. The default is 3, which means that after three failed login attempts, access from this IP will be blocked.
Retry Time Period Restriction (minutes)— time period in minutes for which unsuccessful login attempts are counted. The default is 5. That is, if an incorrect password is entered 3 times within five minutes, a blocking will occur.
Lockout Length (minutes)- the period of time for which a suspicious IP is blocked. Default 60 min.
Lockout Invalid Usernames?- Should an invalid login be counted? Disabled by default. If the function is disabled, then the plugin does not count the wrong login. That is, theoretically, if an attacker knows the password from the admin panel, then he will be able to select the login as many times as he likes.
Mask Login Errors?- Mask login errors? Disabled by default. If the function is disabled, then when entering incorrect data, a message appears notifying what exactly was entered incorrectly - login or password.

When the function is enabled, the message will not specify exactly where the error was made.

Show Credit Link?- Show link to Login LockDown. You can choose between showing a link to the plugin site, showing a link but with a nofollow tag, or not showing a link.
Currently Locked Out- a list of blocked IPs and the time until unblocking. Here you can unblock IP.

That's what Login LockDown is. After changing the settings, save them and now your blog will be a little more secure.

Previous post
Next post

Hello, dear readers of the blog site! Topic of today's article: protecting your WordPress blog from hacking by selecting a password to enter the admin panel. This method is called . This problem is very relevant, since cases of unauthorized access to the holy of holies of the blog, namely the WordPress control panel, unfortunately, are not at all rare.

In general, the WordPress security topic is very extensive and is not limited only to the ones that I already wrote about earlier. Much more unfortunate consequences (I don’t even want to imagine) can occur if attackers gain access to the blog admin panel. Our task is to do everything possible to prevent this from happening. And today I will talk about only one of the ways to strengthen the protection of the blog. Meet the WordPress Security Plugin Login LockDown.

Protecting the WordPress Admin from Hacking with the Login LockDown Plugin

The easiest way to hack a site is to pick up a username and password to enter the control panel. I must say that many bloggers themselves make it 50% easier for a hacker, leaving the default login. And then it remains only to guess the password.

Have you changed your username or do you still have the name admin? If not, then do it immediately. My article ““ may help you with this.

Be sure, immediately after installing the engine, change the password to a more secure one (we make about 20 characters using upper and lower case letters, numbers and special characters). This can be done directly from the admin panel by going to the menu “Users" - "Your profile". Enter the new password twice and save the changes by clicking the “ Update Profile“. Change your password periodically and do not use it on other sites.

With such simple actions, we will already complicate the task for crackers. But, let's say they turned out to be stubborn and do not leave attempts, using special programs for guessing a password. This is where the WordPress Login LockDown security plugin comes to the rescue.

How the Login LockDown Plugin Works

The plugin captures the exact time and IP address from which an unsuccessful login attempt was made to the blog admin. When a certain number of unsuccessful attempts are made within a certain period of time, the plugin blocks access to the site for a specified time. A message is displayed:

“Error: Sorry, but this IP range has been blocked due to too many failed login attempts. Please try again later.”

In addition, you will have a list of all blocked IP addresses and the ability to unblock them in the plugin settings. Let's consider them in more detail.

Installing and configuring the Login LockDown security plugin

Install and activate the plugin. I described in detail the installation of this plugin, as an example, in the article ““. Therefore, without further ado, let's move on to the settings.

Go to the menu “ Options" - " Login LockDown".

The figure shows the default settings. You can change them to your liking. Below I will describe what each of the points means and give my comments:

1. Max Login Retries- the maximum number of attempts to enter the blog admin panel. I don't think it makes sense to put more than three.
2. Retry Time Period Restriction (minutes)– time period in minutes to retry. Five minutes is enough to even run to the Canadian border, let alone enter the password.
3. Lockout Length (minutes)- time in minutes for which access to the WordPress admin panel is blocked. You can leave 60 minutes, or you can set more.
4. Lockout Invalid Usernames– take into account incorrect login input? We mark this item and the plugin, in addition to the password, will also take into account the incorrectly written name. Extra protection of the blog is never superfluous.
5. Mask Login Errors– masking errors of entering incorrect data. We note, and then the cracker will not know that his actions are under control (something did not notice any difference).
6. Currently Locked Out- here you can see a list of currently blocked IP addresses and the time until unblocking. More on this below.

After the Login LockDown security plugin has been configured, click the “Update Settings“ button for the changes to take effect.

For clarity, I will decipher what happens when you try to hack a blog if the settings are, for example, by default, as in the figure above. If the password is entered incorrectly more than 3 times with an interval of 5 minutes, then access to the admin panel is blocked for 60 minutes.

Now back to the list of IP addresses. I don't know when this might be needed, but you have the ability to unblock an IP address that has fallen out of favor. To do this, check this item and click "Release Selected". This probably makes sense if you are not the only one with access to the blog. For example, several authors or a freelancer needs to tweak something.

One more detail. If you notice, in the first screenshot you can see that a warning about protection by the Login LockDown plugin is displayed under the login form in the admin panel. It should appear if you installed the plugin correctly and it works. But in this case, the meaning of paragraph 5 is lost, because the attacker will be warned about the protection in advance. Let's remove this label.

Go to the menu " Plugins"-" Editor". Select our security plugin from the drop-down list at the top right and click “Select“. Finding in a file login-lockdown/loginlockdown.php this line (see the picture below) and remove everything between the quotes. Click "Update file" and go to the login page. The inscription should disappear.

Pay attention to the warning on the edit page. Before making any changes, deactivate the plugin and then re-enable it. I hope that before any editing of files, it is necessary to make copies of them, there is no need to remind.

Now WordPress Login LockDown security plugin will not allow an attacker to get into the admin panel by guessing a password. Of course, this does not guarantee 100% WordPress protection from hacks and other troubles. But every type of blog protection will build a wall in front of the enemy brick by brick. The higher this wall, the more peacefully you will sleep at night.

You need to remember well that you need to pay attention to blog security issues no less than writing unique content and promotion in search engines. In future articles, I will return to this topic more than once. Subscribe to blog updates to always be in the know. See you soon!

Good afternoon, dear readers! Today we will increase security in wordpress. WordPress is already well protected, but additional security will not hurt us.

First, let's close access to unnecessary files. Type in the browser address, for example, your_blog/wp-content and if you see a white screen, then everything is fine:

If you have a list of files, then you need to do the following (even if there is a white screen, it is better to do the following):

Security in WordPress with the Login LockDown Plugin

Also, your blog can be hacked by guessing your blog password. If you set a very light password, then hackers can easily “penetrate” your blog using special scripts.

Configuring the Login LockDown Security Plugin

To get to the plugin settings, you need to go to WordPress Admin –> Settings –> Login LockDown:

1. Max Login Retries– maximum number of password attempts.

2. Retry Time Period Restriction (minutes)– the number of minutes for which the maximum number of password attempts is counted.

3. Lockout Length (minutes) blocking time.

That is, if the numbers remain the same as in the picture above, then this means the following: if in 5 minutes the password is entered incorrectly 3 times in a row, then the WordPress admin area is blocked for 60 minutes.

I left the Login LockDown plugin settings by default, did not touch anything, since they completely suit me.

Perhaps, for today, everything is about security in WordPress (Wordpress). See you in the next lessons!

P.s. Don't forget, fresh useful lessons are released every weekday, so be sure to subscribe to RSS!

02/27/2017 Romchik

Good day. In this article, we will consider one of the issues of protecting a WordPress site, more precisely, protecting the WordPress admin panel. And to be more precise, let's focus on the consideration of a plugin that allows you to limit the number of login attempts to the WordPress admin panel. We will install and configure the Login LockDown plugin for WordPress.

First you need to download and install the Login LockDown plugin from the official website. Installing this plugin is not difficult, so we will not dwell on it.

Let's take a closer look at the setup.

Plugin Features -Login lock down

The plugin allows you to block an ip-address for a while if there were several unsuccessful authorization attempts during a certain time. What is it for? This is the usual protection against brute force (login and password selection). Here is an example from the life of my blog, a screen from the access.log file

As you can see, the user with ip address 124.104.31.203 is trying to do something on the authorization page. And he tried to pick up a username and password. After several attempts, his ip address was blocked.