Limit Login Attempts is a very good WordPress plugin that limits how many login retries an IP can perform (and fail) before being locked out some time. I cannot recommend it enough: it works like a charm and can be tweaked at will. It also notifies you about lockouts, so that you know if someone is trying to gain access to your site. Of course you still need a strong password.
Let’s see how a login would work in the real world. If the blog was a house, the login page would be the door and the login button the doorbell. A guest comes to the door, slides their business card below, and rings the doorbell. The gatekeeper wakes up, collects the business card, checks guest’s credentials against the list of people allowed to get in. If there is a match, the gatekeeper opens the door, otherwise goes back to sleep.
In a brute force attack, a guest is trying to get in by submitting ever changing business cards to the gatekeeper, hoping to find a match by mere chance. When such an attack takes place, the gatekeeper is doing a lot of “useless” work, and soon they’ll ask for a raise.
To prevent that, the master provides the gatekeeper with a scanner for business cards that reveals the factory (IP) that made them. Automatically, the scanner rejects any guest whose credentials are written on a business card made by the same factory of the business card of a guest whose credentials were not on the list. This is Limit Login Attempts.
It’s a nice mechanism that in general will work very well because many guests make their business cards themselves. Additionally there are so many commercial factories around that the risk of a rightful guest to be using the same factory of a gatecrasher is very small.
Limit Login Attempts has been doing quite a nice job since I installed it, but lately non desirable people have started sliding below the door business cards made by many different factories, thus reducing a bit the effectiveness of the scanner. Along time, I went through all these levels of annoyance.
- Just ignore them.
- Write a sarcastic post about them.
- Tweak the scanner to block more and faster.
- Destroy the doorbell.
Step 1 of 2 – Edit the wp-login.php file
In your WordPress blog directory there is a file called wp-login.php. It’s the file that shows the login page. At the very beginning, after the statement that reads {[ .wp-login-start | 1.hilite(=php=) ]} insert the following lines of PHP code {[ .my-login-server | 1.hilite(=php=) ]}
What these lines do is to check if the user has submitted a login form with a given challenge/answer pair. In this example they are doit/now. If the pair is there, then the login form is processed as usual, otherwise the user is redirected to the home page.
Of course you MUST NOT use doit/now, but feel free to choose any other pair of words that you can easily remember, possibly unrelated, like spoon/pig. (sorry, now you cannot use that pair either) Use only letters a through z. (this is not a password !)
That pair is your secret. Do not tell anyone, unless you want them to be able to get through the login page.
Step 2 of 2 – Add a bookmarklet to your browser
Edit the following code such that the challenge/answer pair matches the one used in Step1. Then make a bookmarklet out of it, copy the result in a new bookmark and call it My login. {[ .my-login-client-safer | 1.hilite(=javascript=) ]}
What these lines do is to add a challenge/answer pair to the login form and submit it.
When you want to login, go to the login form and enter your username and password as usual, but remember to hit the bookmarklet instead of the standard button. (If you used the standard button you’d be redirected to the home page, without logging in.)
A Login Dongle Plugin
I’ve already made a Login Dongle plugin for WordPress with all that code. I’m going to upload it this week. Stay tuned.
EDIT (2012-02-09): http://wordpress.org/extend/