[WordPress] 外掛分享: Login Delay Shield

首頁外掛目錄 › Login Delay Shield
WordPress 外掛 Login Delay Shield 的封面圖片
60+
安裝啟用
★★★★
4.4/5 分(5 則評價)
2 天前
最後更新
問題解決
WordPress 3.5.1+ PHP 7.4+ v2.6.0 上架:2013-08-17

內容簡介

Login Delay Shield 是一款專為 WordPress 設計的安全外掛,透過在每次登入失敗後添加可配置的延遲,來防止暴力破解攻擊。這樣的設計確保合法用戶不會受到影響,卻能有效阻擋大量的自動登入請求。

【主要功能】
• 分散式攻擊偵測,識別輪換 IP 的憑證填充攻擊
• 安全設置精靈,選擇保守、平衡或激進的保護設定
• 登入延遲,對失敗的登入嘗試設置固定或隨機延遲
• 漸進式延遲,對同一 IP 的連續失敗嘗試增加延遲
• IP 鎖定,對過多失敗嘗試的 IP 進行暫時封鎖
• 自訂登入 URL,將登入頁面移至自訂網址以減少自動機器人流量

外掛標籤

開發者團隊

⬇ 下載最新版 (v2.6.0) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「Login Delay Shield」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

WordPress is one of the most widely used content management systems on the internet, making it a frequent target for bots and hackers attempting brute-force attacks.
A brute-force attack works by systematically trying passwords until finding the correct one. Login Delay Shield defends against this by adding a configurable delay after each failed login attempt. Since successful logins are never delayed, legitimate users experience no slowdown. This approach is particularly effective against bots that send thousands of login requests, as each failed attempt forces the attacker to wait before trying the next password.
Features:

Distributed attack detection — spot credential-stuffing that rotates IPs, which per-IP lockouts miss.
Security Setup Wizard — Choose Conservative, Balanced, or Aggressive protection profiles from the settings page
Login delay — Fixed or random delay on failed login attempts (1-10 seconds)
Progressive delay — Delay increases with each consecutive failed attempt from the same IP
IP lockout — Temporarily block IP addresses after too many failed attempts
Username-aware lockout strategy — Choose IP only or IP + username to reduce false positives on shared networks
Login feedback — Shows remaining attempts before lockout and a lockout countdown when blocked
IP whitelist — Bypass all security measures for trusted IPs (supports CIDR notation)
Email notifications — Receive alerts when failed login thresholds are reached
Failed login log — Track all failed attempts with a dashboard widget showing recent activity, 7-day trends, and top targeted usernames
fail2ban logging (optional) — Write fail2ban-compatible failed-login and lockout lines to a safe log file
XML-RPC protection — Apply delays to XML-RPC authentication or block it entirely
Password reset protection — Apply delays, lockouts, and logging to password reset submissions without revealing account existence
Custom login URL — Move the login page to a custom URL to reduce automated bot traffic targeting /wp-login.php
Country blocking (optional, developer integration) — Block login authentication from selected country codes. Ships no GeoIP database; requires a resolver hooked to the wldelay_resolve_country_code filter to supply the visitor country
Emergency recovery URL (optional) — Generate a secret link that clears the lockout for your own IP, so you can get back in even with no admin, shell, or file access
Log retention — Automatic cleanup of old log entries (configurable retention period)
Accessible admin interface — WCAG 2.1 compliant with keyboard navigation and screen reader support
Multilingual — Translated into 18 languages including French, German, Spanish, Japanese, Chinese, Arabic, and more
Lightweight and compatible with other security plugins

Free means free
Login Delay Shield has no ads, no upsells, no premium tier, and no account or API key requirement. Every admin notice is dismissible, and the plugin never nags you to upgrade — there is nothing to upgrade to.
You can always get back in
A security plugin that locks out its own administrator is worse than no security at all. Login Delay Shield is built so an admin can always recover access:

Whitelisted IPs (including CIDR ranges) bypass every delay and lockout
The Active Lockouts manager on the settings page lists current lockouts with a one-click Unlock for each, plus an “Unlock Current IP” action
The optional Emergency Recovery URL — a secret link you save in advance — clears your own IP lockout even when you have no admin, shell, or file access
WP-CLI recovery commands: wp wp-login-delay unlock-ip and wp wp-login-delay flush-lockouts
Lockouts are always temporary (24 hours maximum) — there are no permanent bans

This plugin is not a complete security solution — dedicated security plugins offer more comprehensive protection. However, Login Delay Shield adds an effective layer of defense that works alongside your existing security measures without conflict.
Note: This plugin was formerly known as “WP Login Delay”.
Contribute
Found a bug or want to suggest an improvement? Open a thread in the support forum on WordPress.org.
Want to help translate the plugin into your language? Visit translate.wordpress.org.

延伸相關外掛

文章
Filter
Mastodon