前言介紹
- 這款 WordPress 外掛「Login Security Solution」是 2012-03-20 上架。
- 目前有 5000 個安裝啟用數。
- 上一次更新是 2017-11-28,距離現在已有 2716 天。超過一年沒更新,安裝要確認版本是否可用。以及後續維護問題!
- 外掛最低要求 WordPress 3.3 以上版本才可以安裝。
- 有 54 人給過評分。
- 還沒有人在論壇上發問,可能目前使用數不多,還沒有什麼大問題。
外掛協作開發者
外掛標籤
login | strong | password | strength | passwords |
內容簡介
這款WordPress外掛提供了一個簡單的方法,保障多站台和常規WordPress安裝的登入安全性。功能如下:
阻擋地毯式攻擊和字典攻擊,不會給真正用戶或管理員帶來任何不便。
追蹤IP地址、用戶名和密碼。
監視通過表格提交、XML-RPC請求和認證cookie進行的登錄。
如果登入失敗使用了過去失敗的相同數據,插件會減緩響應時間。失敗次數越多,延遲越長。這樣可限制攻擊者有效探測您的網站,因此他們會放棄並尋找更容易的目標。
如果出現帳戶被入侵的情況,"用戶"立即被登出並被強制使用WordPress的密碼重置工具,從而防止任何損害並驗證用戶身份。但是,如果用戶從他們過去使用過的IP地址登入,插件會自動發送電子郵件給用戶,確保該用戶登入了。所有這些都不需要管理員進行干預。
能夠通知管理員攻擊和入侵。
支持IPv6。
徹底檢查並強制實施密碼強度。如果啟用PHP的mbstring擴展,則包括完整的UTF-8字符集支持。檢測可以檢測到當前所有密碼詞典。例如:
最小長度(可自訂)
不與博客信息匹配
不與用戶數據匹配
必須具有數字、標點符號、大寫和小寫字符或非常長。注意:只包含一種大小寫的字母表(例如阿拉伯語、希伯來語等)自動豁免大小寫要求。
非順序代碼點
非順序 keystrokes(可添加自定義序列文件)
未在您提供的密碼詞典文件中找到密碼/短語
解碼“leet” speak
密碼/短語未被 dict 字典程序找到(如果可用)
阻擋通過“?author=”查詢字串發現用戶名。
密碼老化(選項)(不建議)。
用戶需要每x天更改一次密碼(可自訂)
選擇新密碼的寬限期(可自訂)
記住舊密碼(數量可自訂)
管理員可以要求所有用戶更改他們的密碼。
通過每個用戶的數據庫條目中的標誌完成。
不發送任何郵件,使您的服務器遠離垃圾郵件列表。
登錄閒置會話(選項)(閒置時間可自訂)。
維護模式(選項)。
公開可見的內容仍然可見。
停用所有用戶的登錄,除了管理員。
登出所有現有的會話,除了管理員。
停用發布評論。
用於維護或緊急情況。
這是與WordPress維護模式分開的模式。
防止登錄失敗的信息洩露。
優於類似WordPress插件的改進功能:
支持多站台網絡
監視認證cookie以防止錯誤的用戶名和哈希
跟踪來自XML-RPC請求的登錄
原文外掛簡介
A simple way to lock down login security for multisite and regular
WordPress installations.
Blocks brute force and dictionary attacks without inconveniencing
legitimate users or administrators
Tracks IP addresses, usernames, and passwords
Monitors logins made by form submissions, XML-RPC requests and
auth cookies
If a login failure uses data matching a past failure, the plugin
slows down response times. The more failures, the longer the delay.
This limits attackers ability to effectively probe your site,
so they’ll give up and go find an easier target.
If an account seems breached, the “user” is immediately logged out
and forced to use WordPress’ password reset utility. This prevents
any damage from being done and verifies the user’s identity. But
if the user is coming in from an IP address they have used in the
past, an email is sent to the user making sure it was them logging in.
All without intervention by an administrator.
Can notify the administrator of attacks and breaches
Supports IPv6
Thoroughly examines and enforces password strength. Includes full
UTF-8 character set support if PHP’s mbstring extension is enabled.
The tests have caught every password dictionary entry I’ve tried.
Minimum length (customizable)
Doesn’t match blog info
Doesn’t match user data
Must either have numbers, punctuation, upper and lower case characters
or be very long. Note: alphabets with only one case (e.g. Arabic,
Hebrew, etc.) are automatically exempted from the upper/lower case
requirement.
Non-sequential codepoints
Non-sequential keystrokes (custom sequence files can be added)
Not in the password dictionary files you’ve provided (if any)
Decodes “leet” speak
The password/phrase is not found by the dict dictionary
program (if available)
Blocks discovering user names via the “?author=” query string
Password aging (optional) (not recommended)
Users need to change password every x days (customizable)
Grace period for picking a new password (customizable)
Remembers old passwords (quantity is customizable)
Administrators can require all users to change their passwords
Done via a flag in each user’s database entry
No mail is sent, keeping your server off of spam lists
Logs out idle sessions (optional) (idle time is customizable)
Maintenance mode (optional)
Publicly viewable content remains visible
Disables logins by all users, except administrators
Logs out existing sessions, except administrators
Disables posting of comments
Useful for maintenance or emergency reasons
This is separate from WordPress’ maintenance mode
Prevents information disclosures from failed logins
Improvements Over Similar WordPress Plugins
Multisite network support
Monitors authentication cookies for bad user names and hashes
Tracks logins from XML-RPC requests
Adjusts WordPress’ password policy user interfaces
Takes security seriously so the plugin itself does not open your site
to SQL, HTML, or header injection vulnerabilities
Notice-free code means no information disclosures if display_errors
is on and error_reporting includes E_NOTICE
Only loads files, actions, and filters needed for enabled options
and the page’s context
Provides an option to have deactivation remove all of this plugin’s
data from the database
Uses WordPress’ features rather than fighting or overriding them
No advertising, promotions, or beacons
Proper internationalization support
Clean, documented code
Unit tests covering 100% of the main class
Internationalized unit tests
For reference, the similar plugins include:
6Scan Security
Better WP Security
Enforce Strong Password
Force Strong Passwords
Limit Login Attempts
Login Lock
Login LockDown
PMC Lockdown
Simple Login Lockdown
Wordfence Security
WP Login Security
WP Login Security 2
Compatibility with Other Plugins
Some plugins provide similar functionality. These overlaps can lead to
conflicts during program execution. Please read the FAQ!
Translations
Deutsche, Deutschland (German, Germany) (de_DE) by Christian Foellmann
Français, français (French, France) (fr_FR) by mermouy and and Fx Bénard
Italiano, Italia (Italian, Italy) (it_IT) by Daniele Passalacqua
日本語, 日本国 (Japanese, Japan) (ja_JP) by motoyamayuki
Nederlands, Nederland (Dutch, Netherlands) (nl_NL) by Friso van Wieringen
polski, Polska (Polish, Poland) (pl_PL) by Michał Seweryniak miniol
Português, Brasil (Portugese, Brazil) (pt_BR) by Valdir Trombini
suomi, Suomi (Finnish, Finland) (fi_FI) by Juha Remes Newman101
Source Code, Bugs, and Feature Requests
Development of this plugin happens on
GitHub.
Please submit
bug and feature requests,
pull requests,
wiki entries
there.
Releases are then squashed and pushed to WordPress’
Plugins SVN repository.
This division is necessary due having being chastised that “the Plugins SVN
repository is a release system, not a development system.”
Old tickets are in the Plugins Trac.
Strong, Unique Passwords Are Important
Yeah, creating, storing/remembering, and using a different, strong
password for each site you use is a hassle. But it is absolutely
necessary.
Password lists get stolen on a regular basis from big name sites (like
Linkedin for example!). Criminals then have unlimited time to decode the
passwords. In general, 50% of those passwords are so weak they get figured
out in a matter of seconds. Plus there are computers on the Internet
dedicated to pounding the sites with login attempts, hoping to get lucky.
Many people use the same password for multiple sites. Once an attacker
figures out your password on one site, they’ll try it on your accounts at
other sites. It gets ugly very fast.
But don’t despair! There are good, free tools that make doing the right
thing a piece of cake. For example: KeePassX,
KeePass,
or 1Password
Securing Your WordPress Site is Important
You’re probably thinking “There’s nothing valuable on my website. No one
will bother breaking into it.” What you need to realize is that attackers
are going after your visitors. They put stealth code on your website
that pushes malware into your readers’ browsers.
According to SophosLabs more than 30,000 websites are infected
every day and 80% of those infected sites are legitimate.
Eighty-five percent of all malware, including viruses, worms,
spyware, adware and Trojans, comes from the web. Today,
drive-by downloads have become the top web threat.
— Security Threat Report 2012
So if your site does get cracked, not only do you waste hours cleaning up,
your reputation gets sullied, security software flags your site as dangerous,
and worst of all, you’ve inadvertently helped infect the computers of your
clients and friends. Oh, and if the attack involves malware, that malware
has probably gotten itself into your computer.
Actions
login_security_solution_insert_fail
login_security_solution_notify_breach
login_security_solution_notify_fail
login_security_solution_fail_tier_dos
Filters
The following filters allow customizing email subjects and messages. If
either the “subject”or “message” filters in a method returns an empty
string, the given method will skip calling wp_mail().
login_security_solution_notify_breach_subject
login_security_solution_notify_breach_message
login_security_solution_notify_breach_user_subject
login_security_solution_notify_breach_user_message
login_security_solution_notify_fail_subject
login_security_solution_notify_fail_message
Unit Tests
A thorough set of unit tests are found in the tests directory.
The plugin needs to be installed and activated before running the tests.
To execute the tests, cd into this plugin’s directory and
call phpunit tests
Translations can be tested by changing the WPLANG value in wp-config.php.
Please note that the tests make extensive use of database transactions.
Many tests will be skipped if your wp_options and wp_usermeta tables
are not using the InnoDB storage engine.
Removal
This plugin offers the ability to remove all of this plugin’s settings
from your database. Go to WordPress’ “Plugins” admin interface and
click the “Settings” link for this plugin. In the “Deactivate” entry,
click the “Yes, delete the damn data” button and save the form.
Use WordPress’ “Plugins” admin interface to click the “Deactivate” link
Remove the login-security-solution directory from the server
In the event you didn’t pick the “Yes, delete the damn data” option or
you manually deleted the plugin, you can get rid of the settings by running
three queries. These queries are exapmles, using the default table name
prefix of, wp_. If you have changed your database prefix, adjust the
queries accordingly.
DROP TABLE wp_login_security_solution_fail;
DELETE FROM wp_options WHERE option_name LIKE 'login-security-solution%';
DELETE FROM wp_usermeta WHERE meta_key LIKE 'login-security-solution%';= Inspiration and References =
Password Research
Why passwords have never been weaker — and crackers have never been stronger, Dan Goodin
You can never have too many passwords: techniques for evaluating a huge corpus, Joseph Bonneau
Analyzing Password Strength, Martin Devillers
Consumer Password Worst Practices, Imperva
Preventing Brute Force Attacks on your Web Login, Bryan Rite
Password Strength, Randall Munroe
Technical Info
The Extreme UTF-8 Table, infosnel.nl
A Recommendation for IPv6 Address Text Representation, Seiichi Kawamura and Masanobu Kawashima
Password Lists
Dazzlepod Password List, Dazzlepod
Common Passwords, Fravia
The Top 500 Worst Passwords of All Time, Mark Burnett
To Do
Provide a user interface to the fail table.
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「Login Security Solution」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
0.0.4 | 0.1.0 | 0.2.1 | 0.3.0 | 0.4.0 | 0.5.0 | 0.6.0 | 0.6.1 | 0.7.0 | 0.8.0 | 0.9.0 | 0.10.0 | 0.11.0 | 0.12.0 | 0.13.0 | 0.14.0 | 0.15.0 | 0.16.0 | 0.17.0 | 0.18.0 | 0.19.0 | 0.20.0 | 0.20.1 | 0.20.2 | 0.21.0 | 0.22.0 | 0.23.0 | 0.24.0 | 0.25.0 | 0.26.0 | 0.27.0 | 0.28.0 | 0.28.1 | 0.29.0 | 0.30.0 |
延伸相關外掛(你可能也想知道)
WPS Hide Login 》中文, WPS Hide Login 是一個非常輕量的外掛,讓您輕鬆且安全地更改登入表單頁面的網址。它不會真正地重命名或更改核心檔案,也不會添加重寫規則。它只是攔截...。
Security Optimizer – The All-In-One Protection Plugin 》透過精心挑選且易於配置的功能,SiteGround Security 外掛提供了您所需的一切來保護您的網站並預防多種威脅,例如暴力破解攻擊、登錄錯誤、資料外洩等等。, ...。
Loginizer 》Loginizer 是一個 WordPress 外掛,可幫助您對抗暴力攻擊,當 IP 地址達到最大重試次數時,該外掛會阻止其登錄。您可以使用 Loginizer 將 IP 地址列入黑名單...。
Limit Login Attempts 》此外掛可限制正常登入及使用驗證 cookies 登入的次數。, WordPress 預設允許使用者無限次數嘗試登入,無論是透過登入頁面或是傳送特殊 cookies 皆可。這讓密...。
LoginPress | wp-login Custom Login Page Customizer 》LoginPress 外掛提供了很多自訂欄位,可以更改 WordPress 登入頁面的版面配置。您可以完全修改登入頁面的外觀和感覺,即使是登入錯誤訊息、忘記密碼錯誤訊息...。
WP Ghost (Hide My WP Ghost) – Security & Firewall 》Hide My WP Ghost 是一個 WordPress 安全外掛,透過強大且易於使用的功能,提供最佳的安全解決方案。它可以在不改變任何目錄或檔案的情況下,將網站的安全性...。
WPS Limit Login 》繁體中文, 限制通過登錄頁面和使用權限Cookie可能的登錄嘗試次數。, WordPress 默認情況下允許通過登錄頁面或發送特殊 Cookie 的方式進行無限制的登錄嘗試。...。
Login Lockdown & Protection 》Login LockDown 記錄每次失敗的登入嘗試的 IP 位址和時間戳記。如果在短時間內來自相同 IP 範圍的嘗試次數超過一定數量,那麼該 IP 位址的所有登入請求都會被...。
Custom Login Page Customizer 》Custom Login Page Customizer 外掛可讓您輕鬆地從 WordPress Customizer 自訂您的登入頁面!在儲存之前,您可以預覽自訂的登入頁面變更!太棒了,對吧?, , ...。
All In One Login — WordPress Login Security Plugin to Protect and Customize WP Admin 》Change wp-admin login 是一個輕量級的外掛程式,可讓您輕鬆且安全地更改 wp-admin,讓它變成您想要的東西。它不會重新命名或更改核心檔案,只是攔截頁面請求...。
WP fail2ban – Advanced Security 》Fail2ban是您可以實施來保護 WordPress 網站的最簡單和最有效的安全措施之一。, WP fail2ban 提供 WordPress 與 fail2ban 之間的連接:, Oct 17 20:59:54 foo...。
Theme My Login 》曾經希望您的 WordPress 登入頁面與網站的其餘部分相匹配嗎?現在您的願望成真了!「Theme My Login」讓您可以繞過預設的 WordPress 標誌登入頁面,該頁面與...。
Login No Captcha reCAPTCHA 》此外掛新增了 Google 無人類驗證功能的勾選框,可應用於您的 WordPress 和 Woocommerce 登錄、忘記密碼及使用者註冊頁面,讓人類使用者輕鬆透過勾選框登入,...。
WP-Members Membership Plugin 》8211; allows you to restrict file downloads to registered users only, with customizable download links., MailChimp Integration – integrates W...。
WP Hide & Security Enhancer 》WP-Hide 推出了最簡單的方法,完全隱藏 WordPress 核心文件、登錄頁面、佈景主題和外掛程式的路徑,使其不會顯示在前端,這是 Site Security 的一個巨大改進...。