內容簡介
Simple Login Lockdown 是一個保護您的 WordPress 博客免受暴力登錄攻擊的方法。
它的工作方式如下:
1. 攻擊者嘗試登錄但失敗
2. Simple Login Lockdown 記錄該次失敗登錄
3. 失敗嘗試的次數達到一定數量(默認為五次),進一步嘗試訪問 wp-login.php 頁面將被封鎖一定時間(默認為一小時)。
如果您忘記了密碼並自己嘗試了失敗登錄,該插件將在成功登錄時清除鎖定計數數據。
注意:此插件直接使用 $_SERVER['REMOTE_ADDR']。如果您在代理后面(負載平衡器等),它不會按預期工作。例如,有幾個人可能同時嘗試登錄並全部失敗。因此,插件會捕獲來自相同 IP(負載平衡器) 的所有請求並封鎖該登錄。此舉不妙。如果您使用負載平衡器或在其他某些情況下需要代理,請使用此插件作為示例,並根據需要使用 cd_sll_pre_ip 過濾 IP。
鉤子
simple_login_lockdown_ip -- 更改請求的 IP 地址。如果您的網站在代理或負載平衡器後面,這可能會很有用。
simple_login_lockdown_allow_ip -- 允許“白名單”IP地址。當登錄嘗試失敗且之前未增加嘗試次數時,返回 true,IP 將不會被計入次數。
simple_login_lockdown_should_die -- 一個過濾器,允許您防止登錄頁面死機,如果請求的 IP 暫時被列入黑名單或已達到登錄限制。
simple_login_lockdown_count_reached -- 當請求的 IP 達到其次數並將被添加到黑名單時,觸發此事件。
simple_login_lockdown_attempt -- 當嘗試登錄但不能訪問網站時觸發此事件。
simple_login_lockdown_response -- 更改當被列入黑名單的 IP 嘗試登錄時發送的 HTTP 響應代碼。
simple_login_lockdown_time_values -- 允許您更改管理區域中的登錄限制時間下拉列表中的值。
外掛標籤
開發者團隊
原文外掛簡介
Simple login lock down is a way to protect your WordPress blog from brute force login attacks.
How it works:
1. An attacker attempts to login and fails
2. Simple Login Lockdown record that failed login
3. After a certain number of failed attemps (defaults to five), further attemps to access the wp-login.php page are blocked for a time (defaults to one hour).
If you happen to forget your password and make a failed login attemp yourself, the plugin will clear out the lockdown count data on successful login.
Note: This uses $_SERVER[‘REMOTE_ADDR’] directly. If you’re behind a proxy (load balancer, etc), it’s not going to work as expected. Eg. Several folks could be attempting logins at once, and all fail. As such, the plugin would pick up on all those requests coming from the same IP — the load balancer — and lock the login down. No good. If you’re using a load balancer or in some other situation where you’re behind a proxy, use this as an example and write your own. Or filter the IP as your desire using cd_sll_pre_ip.
Hooks
simple_login_lockdown_ip -- Alter the requesting IP address. Might be useful if you site is behind a proxy or load balancer.
simple_login_lockdown_allow_ip -- Allows you to "whitelist" an IP address. It first when a log attempt fails before the attempt count is incremented. Return true and no count will be taken for the IP.
simple_login_lockdown_should_die -- A filter that allows you to prevent the login page from `die`ing if a the requesting IP is temporarily blacklisted or the login limit has been reached.
simple_login_lockdown_count_reached -- Fires when the requesting IP has reached its count and will be added to the blacklist for your time limit.
simple_login_lockdown_attempt -- Fires when a login attempt is made but the requestin IP is blocked to to excessive requests.
simple_login_lockdown_response -- Change the HTTP response code of that gets sent when a blacklisted IP attempts to login.
simple_login_lockdown_time_values -- Allows you to alter values in the login lockdown time dropdown in the admin area.
