Category: Security

Limit Login Attempts NG

Simone Fioravanti

Limit rate of login attempts, including by way of cookies, for each IP.

Download

More Info
Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

This plugin is a fork of Limit Login Attempts Copyright 2008 – 2012 Johan Eenfeldt

Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lockout time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy
- It is possible to whitelist IPs using a filter. But you probably shouldn’t. :-)
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Italian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish

Plugin uses standard actions and filters only.

Installation
1. Download and extract plugin files to a wp-content/plugin directory.
2. Activate the plugin through the WordPress admin interface.
3. Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.
If you have any questions or problems please make a post here: http://wordpress.org/tags/limit-login-attempts

Frequently Asked Questions

= Why not reset failed attempts on a successful login? =

This is very much by design. Otherwise you could brute force the “admin” password by logging in as your own user every 4th attempt.

= What is this option about site connection and reverse proxy? =

A reverse proxy is a server in between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.

The option default to NOT being behind a proxy — which should be by far the common case.

= How do I know if my site is behind a reverse proxy? =

You probably are not or you would know. We show a pretty good guess on the option page. Set the option using this unless you are sure you know better.

= Can I whitelist my IP so I don’t get locked out? =

First please consider if you really need this. Generally speaking it is not a good idea to have exceptions to your security policies.

That said, there is now a filter which allows you to do it: “limit_login_whitelist_ip”.

Example:

function my_ip_whitelist($allow, $ip) { return ($ip ## 'my-ip') ? true : $allow; }
add_filter(‘limit_login_whitelist_ip’, ‘my_ip_whitelist’, 10, 2);

Note that we still do notification and logging as usual. This is meant to allow you to be aware of any suspicious activity from whitelisted IPs.

= I locked myself out testing this thing, what do I do? =

Either wait, or:

If you know how to edit / add to PHP files you can use the IP whitelist functionality described above. You should then use the “Restore Lockouts” button on the plugin settings page and remove the whitelist function again.

If you have ftp / ssh access to the site rename the file “wp-content/plugins/limit-login-attempts/limit-login-attempts.php” to deactivate the plugin.

If you have access to the database (for example through phpMyAdmin) you can clear the limit_login_lockouts option in the wordpress options table. In a default setup this would work: “UPDATE wp_options SET option_value = ” WHERE option_name = ‘limit_login_lockouts'”

= How many IPs are logged? =

By default 250.

That said, there is now a filter which allows you to do it: “limit_login_log_max_ips”.

Setting the value to 0 means no limits.

Example:

function limit_login_log_unlimited_ips($max_ips) { return 0; } add_filter('limit_login_log_max_ips', 'limit_login_log_unlimited_ips', 10, 2);
ClassicPress password fixer

Simone Fioravanti

Fix passwords issues when migrating from WP 6.8.x

Download

More Info
Spoof User Agent

Simone Fioravanti

Change your User Agent to whatever you want. Go to Settings > Spoof User Agent to configure the User Agent exposed when doing HTTP requests.

Download

More Info
ClassicPress Pepper for Passwords

ClassicPress

For enhanced security add a "pepper" to password hashing.

Download

More Info
Overview

The ClassicPress Pepper Password Plugin is designed to enhance the security of user passwords by implementing a unique “pepper” mechanism. This plugin allows administrators to generate and manage a pepper string that is used in conjunction with password hashing, adding an additional layer of protection against unauthorized access.

Features
- Pepper Generation: Easily generate (or refresh) a random pepper string to enhance password security by clicking a button.
- Settings Menu: Access the plugin settings through the ClassicPress admin menu at Settings > Pepper.
- Automatic Activation: The plugin creates a pepper file upon activation, if it doesn’t already exist, to store the random Pepper string.
- User-Friendly Interface: Simple navigation and clear messages for users.
Manual Installation
1. Download the plugin .zip file.
2. Upload the pepper-password folder to the /wp-content/plugins/ directory via FTP, or visiting Plugins > Upload.
3. Activate the plugin through the Plugins menu in ClassicPress.
Installation
- Install the ClassicPress Directory Integration plugin and activate it on your site
- Visit Plugins > Install CP Plugins and search for ClassicPress Pepper Password Plugin
- You can install and activate the plugin by clicking the respective buttons.
Usage

Accessing Settings
- Navigate to Settings > Pepper in the ClassicPress admin dashboard to manage your pepper settings.
Generating a Pepper
- Click on the Enable Pepper or Renew Pepper button within the settings page to generate or renew the pepper string.
Important Notes
- Changing or deactivating this plugin will invalidate all stored password hashes, requiring users to reset their passwords.
- Ensure you have filesystem permissions set correctly for the plugin to function properly.
Contributing

Contributions are welcome! Please fork the repository and submit a pull request for any enhancements or bug fixes.

License

This plugin is licensed under the GPL v2 or later. Please see the LICENSE file for more details.

Support

For support or inquiries, please open an issue in the repository or contact the plugin author directly.
ClassicPress Integrity Checker

Simone Fioravanti

Check core files against MD5.

Download

More Info
Plugin for ClassicPress.

Check core files against MD5.

Filters
- Change URL: cpic-url (default https://api-v1.classicpress.net/v1/checksums/md5/)
- Change requested CP version: cpic-version (default local CP version)
Disable FLoC

azurecurve

Description Disable Google's next-gen tracking technology Have you ever heard of "Federated Learning of Cohorts" – or FLoC? It is Google's next-ge ...

Download

More Info
Disable Google’s next-gen tracking technology

Have you ever heard of “Federated Learning of Cohorts” – or FLoC? It is Google’s next-generation technique for tracking users across the web. They say it’s anonymous and safe. We know better. This plugin sets a header to disable the FLoC tracking.

Installation
- Download the latest release of the plugin from GitHub.
- Upload the entire zip file using the Plugins upload function in your ClassicPress admin panel.
- Activate the plugin.
Frequently Asked Questions

Can I translate this plugin?

Yes, the .pot file is in the plugins languages folder and can also be downloaded from the plugin page on https://development.azurecurve.co.uk; if you do translate this plugin, please sent the .po and .mo files to [email protected] for inclusion in the next version (full credit will be given).

Is this plugin compatible with both WordPress and ClassicPress?

This plugin is developed for ClassicPress, but will likely work on WordPress.

Changelog

Version 1.1.1
- Update readme file for compatibility with ClassicPress Directory.
Other Notes

azurecurve was one of the first plugin developers to start developing for ClassicPress; all plugins are available from azurecurve Development and are integrated with the Update Manager plugin for fully integrated, no hassle, updates.

The other plugins available from azurecurve are:
- Add Open Graph Tags – details / download
- Add Twitter Cards – details / download
- Avatars – details / download
- BBCode – details / download
- Breadcrumbs – details / download
- Call-out Boxes – details / download
- Check Plugin Status – details / download
- Code – details / download
- Comment Validator – details / download
- Conditional Links – details / download
- Contact Forms – details / download
- Disable FLoC – details / download
- Estimated Read Time – details / download
- Events – details / download
- Filtered Categories – details / download
- Flags – details / download
- Floating Featured Image – details / download
- From Twitter – details / download
- Gallery From Folder – details / download
- Get GitHub File – details / download
- Icons – details / download
- Images – details / download
- Insult Generator – details / download
- Load Admin CSS – details / download
- Loop Injection – details / download
- Maintenance Mode – details / download
- Markdown – details / download
- Mobile Detection – details / download
- Multisite Favicon – details / [download](https://github.com/azurecurve/azrcrv-multisite-favicon/
Registration Honeypot

Simone Fioravanti

Registration Honeypot Add a honeypot to your ClassicPress registration form to prevent spambots from creating user accounts. Usage The Registration ...

Download

More Info