跳至内容
  • 登录
  • 注册
WordPress.org

China 简体中文

  • 主题
  • 插件
  • 消息
  • 支持
    • 文档
    • 论坛
  • 关于
  • 获取 WordPress
获取 WordPress

插件

  • 我的收藏
  • Beta测试
  • 开发者

该插件尚未通过WordPress的最新3个主要版本进行测试。 当与较新版本的WordPress一起使用时,可能不再受到维护或支持,并且可能会存在兼容性问题。

下载

Limit Login Attempts

作者Johan Eenfeldt
  • 详情
  • 评价
  • 安装
  • 开发进展
支持

描述

Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

Features

  • Limit the number of retry attempts when logging in (for each IP). Fully customizable
  • Limit the number of attempts to log in using auth cookies in same way
  • Informs user about remaining retries or lockout time on login page
  • Optional logging, optional email notification
  • Handles server behind reverse proxy
  • It is possible to whitelist IPs using a filter. But you probably shouldn’t. 🙂

Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish

Plugin uses standard actions and filters only.

屏幕截图

  • Loginscreen after failed login with retries remaining
  • Loginscreen during lockout
  • Administration interface in WordPress 3.0.4

安装

  1. Download and extract plugin files to a wp-content/plugin directory.
  2. Activate the plugin through the WordPress admin interface.
  3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.

If you have any questions or problems please make a post here: https://wordpress.org/tags/limit-login-attempts

常见问题

Installation Instructions
  1. Download and extract plugin files to a wp-content/plugin directory.
  2. Activate the plugin through the WordPress admin interface.
  3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.

If you have any questions or problems please make a post here: https://wordpress.org/tags/limit-login-attempts

Why not reset failed attempts on a successful login?

This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt.

What is this option about site connection and reverse proxy?

A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.

The option default to NOT being behind a proxy — which should be by far the common case.

How do I know if my site is behind a reverse proxy?

You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better.

Can I whitelist my IP so I don’t get locked out?

First please consider if you really need this. Generally speaking it is not a good idea to have exceptions to your security policies.

That said, there is now a filter which allows you to do it: “limit_login_whitelist_ip”.

Example:
function my_ip_whitelist($allow, $ip) {
return ($ip == ‘my-ip’) ? true : $allow;
}
add_filter(‘limit_login_whitelist_ip’, ‘my_ip_whitelist’, 10, 2);

Note that we still do notification and logging as usual. This is meant to allow you to be aware of any suspicious activity from whitelisted IPs.

I locked myself out testing this thing, what do I do?

Either wait, or:

If you know how to edit / add to PHP files you can use the IP whitelist functionality described above. You should then use the “Restore Lockouts” button on the plugin settings page and remove the whitelist function again.

If you have ftp / ssh access to the site rename the file “wp-content/plugins/limit-login-attempts/limit-login-attempts.php” to deactivate the plugin.

If you have access to the database (for example through phpMyAdmin) you can clear the limit_login_lockouts option in the wordpress options table. In a default setup this would work: “UPDATE wp_options SET option_value = ” WHERE option_name = ‘limit_login_lockouts'”

评价

Interesante

inakijm 2020年12月30日
Se lo pone más dicícil a los hackers que quieren acceder a tu blog ya que les limita el número de accesos.

Not maintained but still works

wroot 2020年4月29日
Would be good to get new versions and fix possible security issues (if any), but it seems to still work.

Works very well

purpslisfeedb 2020年4月14日
Works very well

Getting a lot better.

brightvesseldev 2021年10月21日
We had initial issues and tried again and it is working better.

Awesome

naimansari 2019年9月20日
Awesome Plugin

It still works great!

Adam Faryna 2019年6月24日
well done
阅读所有199条评价

贡献者及开发者

“Limit Login Attempts” 是开源软件。 以下人员对此插件做出了贡献。

贡献者
  • johanee

“Limit Login Attempts”插件已被翻译至33种本地话语言。 感谢所有译者为本插件所做的贡献。

将“Limit Login Attempts”翻译成您的语言。

对开发感兴趣吗?

您可以浏览代码,查看SVN仓库,或通过RSS订阅开发日志。

更新日志

1.7.1

This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.

“Auth cookies” are special cookies set at login that authenticating you to the system. It is how WordPress “remembers” that you are logged in between page loads.

During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.

Lockout of normal password login attempts still worked as it should, and it appears that all “auth cookie” attempts would keep getting logged.

In theory the “auth cookie” is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.

1.7.0

  • Added filter that allows whitelisting IP. Please use with care!!
  • Update to Spanish translation, thanks to Marcelo Pedra
  • Updated Swedish translation
  • Tested against WordPress 3.3.2

1.6.2

  • Fix bug where log would not get updated after it had been cleared
  • Do plugin setup in ‘init’ action
  • Small update to Spanish translation file, thanks to Marcelo Pedra
  • Tested against WordPress 3.2.1

1.6.1

  • (WordPress 3.0+) An invalid cookie can sometimes get sent multiple times before it gets cleared, resulting in multiple failed attempts or even a lockout from a single invalid cookie. Store the latest failed cookie to make sure we only count it as one failed attempt
  • Define “Text Domain” correctly
  • Include correct Dutch tranlation file. Thanks to Martin1 for noticing. Thanks again to Bjorn Wijers for the translation
  • Updated POT file for this version
  • Tested against WordPress 3.1-RC4

1.6.0

  • Happy New Year
  • Tested against WordPress 3.1-RC1
  • Plugin now requires WordPress version 2.8+. Of course you should never ever use anything but the latest version
  • Fixed deprecation warnings that had been piling up with the old version requirement. Thanks to Johannes Ruthenberg for the report that prompted this
  • Removed auth cookie admin check for version 2.7.
  • Make sure relevant values in $_COOKIE get cleared right away on auth cookie validation failure. There are still some problems with cookie auth handling. The lockout can trigger prematurely in rare cases, but fixing it is plugin version 2 stuff unfortunately.
  • Changed default time for retries to reset from 24 hours to 12 hours. The security impact is very minor and it means the warning will disappear “overnight”
  • Added question to FAQ (“Why not reset failed attempts on a successful login?”)
  • Updated screenshots

1.5.2

  • Reverted minor cookie-handling cleanup which might somehow be responsible for recently reported cookie related lockouts
  • Added version 1.x Brazilian Portuguese translation, thanks to Luciano Passuello
  • Added Finnish translation, thanks to Ari Kontiainen

1.5.1

  • Further multisite & WPMU support (again thanks to erik@erikshosting.com)
  • Better error handling if option variables are damaged
  • Added Traditional Chinese translation, thanks to Denny Huang bigexplorations@bigexplorations.com.tw

1.5

  • Tested against WordPress 3.0
  • Handle 3.0 login page failure “shake”
  • Basic multisite support (parts thanks to erik@erikshosting.com)
  • Added Dutch translation, thanks to Bjorn Wijers burobjorn@burobjorn.nl
  • Added Hungarian translation, thanks to Blint Vereskuti balint@vereskuti.info
  • Added French translation, thanks to oVa ova13lastar@gmail.com

1.4.1

  • Added Turkish translation, thanks to Yazan Canarkadas

1.4

  • Protect admin page update using wp_nonce
  • Added Czech translation, thanks to Jakub Jedelsky

1.3.2

  • Added Bulgarian translation, thanks to Hristo Chakarov
  • Added Norwegian translation, thanks to Rune Gulbrandsy
  • Added Spanish translation, thanks to Marcelo Pedra
  • Added Persian translation, thanks to Mostafa Soufi
  • Added Russian translation, thanks to Jack Leonid (http://studio-xl.com)

1.3.1

  • Added Catalan translation, thanks to Robert Buj
  • Added Romanian translation, thanks to Robert Tudor

1.3

  • Support for getting the correct IP for clients while server is behind reverse proxy, thanks to Michael Skerwiderski
  • Added German translation, thanks to Michael Skerwiderski

1.2

  • No longer replaces pluggable function when cookie handling active. Re-implemented using available actions and filters
  • Filter error messages during login to avoid information leak regarding available usernames
  • Do not show retries or lockout messages except for login (registration, lost password pages). No change in actual enforcement
  • Slightly more aggressive in trimming old retries data

1.1

  • Added translation support
  • Added Swedish translation
  • During lockout, filter out all other login errors
  • Minor cleanups

1.0

  • Initial version

额外信息

  • 版本:1.7.1
  • 最后更新:11年前
  • 有效安装数量:600,000+
  • WordPress版本: 2.8 或更高版本
  • 最高兼容版本:3.3.2
  • 语言:

    Albanian、Bulgarian、Catalan、Chinese (China)、Chinese (Taiwan)、Croatian、Czech、Danish、Dutch、English (Australia)、English (Canada)、English (New Zealand)、English (UK)、English (US)、Finnish、French (Canada)、French (France)、Galician、German、Hebrew、Hungarian、Italian、Japanese、Lithuanian、Norwegian (Bokmål)、Portuguese (Brazil)、Romanian、Russian、Slovak、Spanish (Spain)、Spanish (Venezuela)、Swedish、Turkish和Ukrainian.

    翻译成您的语言

  • 标签:
    authenticationloginsecurity
  • 高级视图

评级

查看所有评价
  • 5星 167
  • 4星 13
  • 3星 3
  • 2星 4
  • 1星 12
登录以提交评价。

贡献者

  • johanee

支持

最近两个月解决的问题:

总计 1,已解决 0

查看支持论坛

  • 关于
  • 消息
  • 主机
  • 捐助
  • Swag
  • 文档
  • 开发者
  • 参与
  • 学习
  • 展示站点
  • 插件
  • 主题
  • 区块样板
  • WordCamp
  • WordPress.TV
  • BuddyPress
  • bbPress
  • WordPress.com
  • Matt
  • 隐私
  • Public Code
WordPress.org
WordPress.org

China 简体中文

  • 访问我们的 Facebook 公共主页
  • 关注我们的 Twitter 账号
  • 关注我们的 Instagram 账号
  • 关注我们的 LinkedIn 主页
代码如诗