As a WordPress developer, I quite frequently deal with clients who have had their WordPress installations hacked. The number one cause that I have seen from these hacks are short/insecure passwords. I actually dealt with so many of these issues that I wrote a small ebook called The Concise Guide to Securing WordPress and Repairing Hacks. For my clients, I also wrote a small plugin to limit the number of login attempts a user could preform. This is a highly effective way to slow down a brute force login attempt. When a hacker is blocked for even just 30 seconds for every 5 bad passwords, they are going to move onto a different site (unless they really want to hack your site).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
<?php function my_failed_login( $username ) { $call_limit = 5; // Login Attempts $time_limit = 30; // in 30 seconds $transient = 'failed_login_' . get_ip_address(); $calls = (array)get_transient( $transient ); $calls[] = time(); set_transient( $transient, $calls, $time_limit ); // New Transient for API Calls } add_action( 'wp_login_failed', 'my_failed_login' ); function check_for_limited_login() { $transient = 'failed_login_' . get_ip_address(); $calls = get_transient( $transient ); if ( 5 <= count( $calls ) ) wp_die( 'You have exceeded the maximum login attempts. Please try again in 5 minutes.' ); } add_action( 'login_init', 'check_for_limited_login' ); function get_ip_address() { $methods = array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' ); foreach ( $methods as $key ) { if ( true === array_key_exists( $key, $_SERVER ) ){ foreach ( explode( ',', $_SERVER[$key] ) as $ip ) { return trim( $ip ); } } } } |
This plugin uses the WordPress hook and transient API (which is great), by default I limit the login attempts to 5 every 30 seconds, but the error message (a simple wp_die function call) states that the user will be locked out for 5 minutes. I simply create the mu-plugins folder in all of my client’s wp-content directory and throw this code into a php file in that directory. Instantly their WordPress security is increased drastically!
Note: There is actually a plugin out there already called Limit Login Attempts, it basically has the same functionality as the code above, except they also pay attention to cookies and don’t use WordPress transients. They also have an admin interface, but I prefer to leave it in the code for a security plugin… that and being in the mu-plugins directory makes it a little safer, since it’s hard to get to from the WordPress dashboard.
Its better that we can have a cookie for multiple time login failure. When ever the user fails more than 5 times, we can set a cookie for particular time.
Cookies can be easily removed… in fact, any intelligent hacker who wants to brute force your site will simply ignore your cookies.
I also use and recommend Limit Login Attempts. If you are using it on a membership site — be sure to enable notifications on a lockout. This way you can help your site members login to your site.