login lockdown plugin. WordPress Login LockDown Security Plugin – Hack Protection

Good afternoon, dear readers! Today we will increase security in wordpress. WordPress is already well protected, but additional security will not hurt us.

First, let's close access to unnecessary files. Type in the browser address, for example, your_blog/wp-content and if you see a white screen, then everything is fine:

If you have a list of files, then you need to do the following (even if there is a white screen, it is better to do the following):

Security in WordPress with the Login LockDown Plugin

Also, your blog can be hacked by guessing your blog password. If you set a very light password, then hackers can easily “penetrate” your blog using special scripts.

Configuring the Login LockDown Security Plugin

To get to the plugin settings, you need to go to WordPress Admin –> Settings –> Login LockDown:


1. Max Login Retries– maximum number of password attempts.

2. Retry Time Period Restriction (minutes)– the number of minutes for which the maximum number of password attempts is counted.

3. Lockout Length (minutes) blocking time.

That is, if the numbers remain the same as in the picture above, then this means the following: if in 5 minutes the password is entered incorrectly 3 times in a row, then the WordPress admin area is blocked for 60 minutes.

I left the Login LockDown plugin settings by default, did not touch anything, since they completely suit me.

Perhaps, for today, everything is about security in WordPress (Wordpress). See you in the next lessons!

P.s. Don't forget, fresh useful lessons are released every weekday, so be sure to subscribe to RSS!

Hello, dear readers of the blog site! Topic of today's article: protecting your WordPress blog from hacking by selecting a password to enter the admin panel. This method is called . This problem is very relevant, since cases of unauthorized access to the holy of holies of the blog, namely the WordPress control panel, unfortunately, are not at all rare.

In general, the WordPress security topic is very extensive and is not limited only to the ones that I already wrote about earlier. Much more unfortunate consequences (I don’t even want to imagine) can occur if attackers gain access to the blog admin panel. Our task is to do everything possible to prevent this from happening. And today I will talk about only one of the ways to strengthen the protection of the blog. Meet the WordPress Security Plugin Login LockDown.

Protecting the WordPress Admin from Hacking with the Login LockDown Plugin

The easiest way to hack a site is to pick up a username and password to enter the control panel. I must say that many bloggers themselves make it 50% easier for a hacker, leaving the default login. And then it remains only to guess the password.

Have you changed your username or do you still have the name admin? If not, then do it immediately. My article ““ may help you with this.

Be sure, immediately after installing the engine, change the password to a more secure one (we make about 20 characters using upper and lower case letters, numbers and special characters). This can be done directly from the admin panel by going to the menu “Users" - "Your profile". Enter the new password twice and save the changes by clicking the “ Update Profile“. Change your password periodically and do not use it on other sites.

With such simple actions, we will already complicate the task for crackers. But, let's say they turned out to be stubborn and do not leave attempts, using special programs for guessing a password. This is where the WordPress Login LockDown security plugin comes to the rescue.

How the Login LockDown Plugin Works

The plugin captures the exact time and IP address from which an unsuccessful login attempt was made to the blog admin. When a certain number of unsuccessful attempts are made within a certain period of time, the plugin blocks access to the site for a specified time. A message is displayed:

“Error: Sorry, but this IP range has been blocked due to too many failed login attempts. Please try again later.”

In addition, you will have a list of all blocked IP addresses and the ability to unblock them in the plugin settings. Let's consider them in more detail.

Installing and configuring the Login LockDown security plugin

Install and activate the plugin. I described in detail the installation of this plugin, as an example, in the article ““. Therefore, without further ado, let's move on to the settings.

Go to the menu “ Options" - " Login LockDown".

The illustration shows the default settings. You can change them to your liking. Below I will describe what each of the points means and give my comments:

• 1. Max Login Retries- the maximum number of attempts to enter the blog admin panel. I don't think it makes sense to put more than three.
• 2. Retry Time Period Restriction (minutes)– time period in minutes to retry. Five minutes is enough to even run to the Canadian border, let alone enter the password.
• 3. Lockout Length (minutes)- time in minutes for which access to the WordPress admin panel is blocked. You can leave 60 minutes, or you can set more.
• 4. Lockout Invalid Usernames– take into account incorrect login input? We mark this item and the plugin, in addition to the password, will also take into account the incorrectly written name. Extra protection of the blog is never superfluous.
• 5. Mask Login Errors– masking errors of entering incorrect data. We note, and then the cracker will not know that his actions are under control (something did not notice any difference).
• 6. Currently Locked Out- here you can see a list of currently blocked IP addresses and the time until unblocking. More on this below.

After the Login LockDown security plugin has been configured, click the “Update Settings“ button for the changes to take effect.

For clarity, I will decipher what happens when you try to hack a blog if the settings are, for example, by default, as in the figure above. If the password is entered incorrectly more than 3 times with an interval of 5 minutes, then access to the admin panel is blocked for 60 minutes.

Now back to the list of IP addresses. I don't know when this might be needed, but you have the ability to unblock an IP address that has fallen out of favor. To do this, check this item and click "Release Selected". This probably makes sense if you are not the only one with access to the blog. For example, several authors or a freelancer needs to tweak something.

One more detail. If you notice, then in the first screenshot you can see that a warning about protection by the Login LockDown plugin is displayed under the login form in the admin panel. It should appear if you installed the plugin correctly and it works. But in this case, the meaning of paragraph 5 is lost, because the attacker will be warned about the protection in advance. Let's remove this label.

Go to the menu " Plugins"-" Editor". Select our security plugin from the drop-down list at the top right and click “Select“. Finding in a file login-lockdown/loginlockdown.php this line (see the picture below) and remove everything between the quotes. Click "Update file" and go to the login page. The inscription should disappear.

Pay attention to the warning on the edit page. Before making any changes, deactivate the plugin and then re-enable it. I hope that before any editing of files, it is necessary to make copies of them, there is no need to remind.

Now WordPress Login LockDown security plugin will not allow an attacker to get into the admin panel by guessing a password. Of course, this does not guarantee 100% WordPress protection from hacks and other troubles. But every type of blog protection will build a wall in front of the enemy brick by brick. The higher this wall, the more peacefully you will sleep at night.

You need to remember well that you need to pay attention to blog security issues no less than writing unique content and promotion in search engines. In future articles, I will return to this topic more than once. Subscribe to blog updates to always be in the know. See you soon!

In the first part, I will tell you how to protect your blog from hacking using password guessing. Most importantly, do not set a simple password and do not use the same password on other resources. The plugin will also help protect against password guessing.

Installing and configuring the Login LockDown plugin

The plugin blocks access to entering a login and password via IP for a while if there have been quite a few unsuccessful attempts. You can set the number of attempts and blocking time yourself.

To install, you need to download the plugin. Extract it to /plugins folder and activate it.

To configure the plugin, go to "Options" -> "the following window will appear:

Max Login Retries- this is the maximum number of login attempts, I think three is enough.

Retry Time Period Restriction (minutes)- the amount of time between attempts, I have 15 minutes.

Lockout Length (minutes)- indicates the number of minutes for which the login form is blocked in case of incorrect data entry for the maximum number of attempts, I have 15 minutes.

Lockout Invalid Usernames- whether to take into account incorrect login input.

Mask Login Errors- whether to mask data entry errors.

In the Current section Locked Out a list of blocked IPs is displayed.

If the plugin is installed normally, then Login form protected by Login LockDown will be displayed in the login and password entry form.

Website security is a top priority when developing a web project, and WordPress security is no exception. Attempts of unauthorized access to blog management are not a common thing, but they take place in the life of a webmaster ...

To protect your website from brute hacking, by selecting input data, you can restrict access to the administrative panel. To do this, you can leave priority only for trusted IP addresses, or set a limit on the number of authorization errors.

A popular tool for bloggers in the fight against selection is a free plugin - Login LockDown. This highly specialized add-on is aimed at tracking authorization attempts, that is, logging into the WordPress console.
A feature of the plugin is the flexibility of settings that allow the administrator to delay each login attempt, limited by the specified number, and then block the attacker (his IP address) for a long time!

Installation and activation

You can install the add-on using FTP access, before downloading the archive with the plugin - https://wordpress.org/plugins/login-lockdown/
or go to the "Plugins" section of the admin panel, click on the "Add new" item at the top, then enter the name in the search bar and press the "Enter" key. We set the first result, and after that we activate it.

Plugin settings

As previously noted, the number of LoginLockDown options is small and represents only functional parameters. Once activated, the plugin starts operating with the default values ​​preferred by most users.
In the panel, expand the “Settings” section, where the “Login LockDown” item will be found, click and go to the settings page “ Login LockDown Options»:

1. Max Login Retries - the number of authorization attempts, after which the address is blocked. The default is 3 (we do not recommend setting more than 5 attempts).
2. Retry Time Period Restriction (minutes) – the number of minutes between attempts to log in, by default 2 minutes (it is better to shorten it so that the user can repeat the login soon).
3. Lockout Length (minutes) - the number of minutes to block an IP address, by default 120 (2 hours), it is quite possible to increase it with the proper level of danger.
4. Lockout Invalid Usernames? – option to disable plugin functions for unregistered names (logins). We turn it on at our discretion, since the selection of a non-existent login-password pair does not pose a danger.
5. Mask Login Errors? – option to disable authorization errors. The user will not be notified of an invalid username or password.
6. Show Credit Link? – option to display a link to the plug-in's offsite site (advertisement of Login LockDown developers). Displayed by default, to disable click the third checkbox.
7. Update settings - the button to update the settings, click at the end to save the changes made.
8. Currently Locked Out - an area with a list of blocked addresses. It is possible to clear the IP for trusted persons who did not gain access to the admin panel.

Instead of an afterword

Thus, you can unobtrusively restrict access to the WordPress admin area, excluding automatic or manual selection. The Login LockDown plugin is updated periodically, which indicates compatibility with current versions of the CMS.

WordPress is the most popular content management system today. And it is clear why: ease of use and configuration, many plugins, free. But at the same time, a lot of attention from the attackers. Sites on Wordptess are very often the target for attacks. The reasons for hacking a site are different, more precisely, the reason is the same - money, approaches are different. One of the ways to hack a site, including on WordPress, is brute force or in Russian - the brute force method (brute force - brute force) - this is when they try to access the site by selecting a username and password.

All WordPress users know that the entrance to the site admin panel is located at site.com/wp-login.php or site.com/wp-admin, from which you will be transferred to the first one anyway. The attackers know about it too. Therefore, if you are irresponsible in protecting the admin panel, then the likelihood of your site being hacked increases significantly. How can you prevent those who do not need to get into the admin panel?

The first, and the most banal, but no less important, is choosing a strong password and changing the standard login.

The second is the installation of special plugins to protect the admin panel.

The third is setting up rcdirects and manually editing WordPress files.

And also, now most hosting, for its part, offers protection for the admin panel.

In this article, I want to talk about the Login Lockdown plugin, which will help protect the admin panel of your WordPress site from password guessing.

What is the principle of the plugin? When someone tries to get into your admin panel and incorrectly enters data, login or password, a certain number of times in a certain period of time - Login LockDown blocks the IP address from which access was attempted for a certain amount of time.

Plugin Installation

You can install the plugin through the built-in WordPress manager. To do this, in the control panel, go to Plugins->Add New.

Enter the name of the plugin in the search field.

Select the plugin from the search results and click install.

After installing Login LockDown, you need to immediately activate it.

Now you can move on to setting up the extension.

Go to Settings->Login LockDown

There are not many settings for the plugin. Let's go through them briefly.

• Max Login Retries- the maximum number of attempts. The default is 3, which means that after three failed login attempts, access from this IP will be blocked.
• Retry Time Period Restriction (minutes)— time period in minutes for which unsuccessful login attempts are counted. The default is 5. That is, if an incorrect password is entered 3 times within five minutes, a blocking will occur.
• Lockout Length (minutes)- the period of time for which a suspicious IP is blocked. Default 60 min.
• Lockout Invalid Usernames?- Should an invalid login be counted? Disabled by default. If the function is disabled, then the plugin does not count the wrong login. That is, theoretically, if an attacker knows the password from the admin panel, then he will be able to select the login as many times as he likes.
• Mask Login Errors?- Mask login errors? Disabled by default. If the function is disabled, then when entering incorrect data, a message appears notifying what exactly was entered incorrectly - login or password.

When the function is enabled, the message will not specify exactly where the error was made.

• Show Credit Link?- Show link to Login LockDown. You can choose between showing a link to the plugin site, showing a link but with a nofollow tag, or not showing a link.
• Currently Locked Out- a list of blocked IPs and the time until unblocking. Here you can unblock IP.

That's what Login LockDown is. After changing the settings, save them and now your blog will be a little more secure.