內容簡介
最近有全球分布式 botnet 攻擊 WordPress 安裝程式,導致伺服器癱瘓並入侵管理員帳戶,因此我想寫一個 WordPress 外掛程式以防止再次發生。
分布式 botnet 攻擊可能來自多個 IP 地址和位置,因此傳統的基於 IP 的鎖定機制不可行(例如在 Wordfence 和其他 WordPress 安全外掛中的機制)。
例如,如果有 1,000 台不同的計算機(具有唯一的 IP 地址)嘗試暴力破解您的管理員密碼,並且您在每次 5 次錯誤嘗試後鎖定每個 IP 地址,那麼您仍然允許 5,000 次嘗試。我的外掛程式基本上忽略不同的 IP 地址,以可配置的方式鎖定所有管理員登錄嘗試,因此,如果您將其設置為 5 次失敗嘗試(默認值),那麼這些 1,000 台不同的計算機總共只能有 5 次嘗試。
您可以選擇多少次登錄失敗導致鎖定,失敗之間允許多長時間,封鎖登錄多長時間,還可以輸入白名單 IP 地址(或多個以逗號或空格分隔的地址)以繞過鎖定並始終登錄 - 因此即使在攻擊中,您仍可以始終進入您的網站。對於動態 IP 地址,還支持部分 IP 地址匹配。您還可以定義一個秘密鑰匙來繞過鎖定。
無論是哪個使用者名稱或 IP 地址登錄失敗都會計入統計(除非在白名單上)
一旦鎖定,除白名單 IP 地址或使用秘密鑰匙外,沒有人可以登錄
您可以指定觸發鎖定的登錄失敗次數
您可以指定應計入的失敗嘗試之間的時間
您可以指定鎖定應持續多長時間
您可以添加繞過鎖定的秘密鑰
您可以自定義鎖定消息
您可以添加繞過鎖定的白名單 IP 地址
支持為動態分配的 IP 地址進行部分匹配
支援多站點
提供英語、法語、德語、意大利語和俄語版本
外掛標籤
開發者團隊
原文外掛簡介
After the recent global distributed botnet attack on WordPress installations that took down servers and broke into admin accounts, I thought I’d write a plugin to prevent it happening again.
Distributed botnet attacks can come from multiple IP addresses and locations at the same time, so conventional IP-based lockouts are not effective (e.g. those found in Wordfence and other WordPress security plugins).
For example, if 1,000 different computers (with unique IP addresses) are trying to brute-force your admin password and you lock out each IP address after 5 incorrect attempts then you have still allowed 5,000 attempts. My plugin essentially ignores the different IP addresses and locks out all admin login attempts in a configurable way – so if you have it set to 5 failed attempts (default) then those 1,000 different computers will only have a total between them of 5 attempts.
You can select how many login failures causes the lockout, how much time to allow between failures, how long to block logins for and also you can input a whitelisted IP address (or multiple addresses separated with commas or spaces) which can bypass the lockdown and always log in – so you can still always get into your site even in the middle of an attack. There is also support for partial IP address matching for those with dynamic IP addresses. You can also define a secret key to bypass the lock.
Any failed login is counted regardless of username or IP address (unless whitelisted)
Once locked down, nobody can log in except from whitelisted IP addresses or using the secret key
You can specify the number of login failures that triggers a lockdown
You can specify the time between failed attempts that should be counted
You can specify how long the lockdown should last
You can add a secret key that bypasses the lockdown
You can customise the lockout message
You can add whitelisted IP addresses that bypass the lockdown
Partial IP address matching for dynamically-allocated IP addresses
Multisite compatible
Available in English, French, German, Italian and Russian
