Login Security Solution

Login Security Solution ensures that brute force attempts to guess your user name and password are stopped.

Plugin Page: http://wordpress.org/extend/plugins/login-security-solution/

Why Login Lockdown Is Important

Login Security Solution keeps an eye out for failed login attempts. If someone tries to log in too many times with a wrong user name/password combination this plugin will slow down response times.

This will make a brute force attack impossible.

At the same time the plugin allows legitimate users multiple login attempts without blocking them if they have forgotten their password.

This an effective way to stop user name/password guessing without creating problems for legitimate users.

Other security functions added by this plugin:

  • Password strength is enforced.
    Users have to use strong passwords.

  • Password aging can be enabled.
    Users are forced to change passwords after a configurable period of time.

  • All users can be forced to change passwords.
    The administrator can require users to change their passwords next time they login.

  • Idle sessions can be logged out after a configurable amount of time.

Note! Please read the Recommendation before you install this plugin.

How You Complete This Security Checkpoint

Add and Activate the plugin.

  • Once activated you have the option to force all users to change passwords.
    To continue click on the link (even if you do not want to change passwords).
    change all passwords 

  • Depending on your situation require all users to change passwords or disable the reminder.
    If you have many users on your site changing passwords can be a good idea to ensure they all have strong passwords.

    require password change or disable message 

  • Go to the Login Security Solution plugin settings.
    login security solution plugin settings 

  • Most of the default settings are fine.
    There are a couple of settings you might want to adjust.

  • Email notifications about brute force attacks: By default the administrator will receive an email if anyone tries to login to your site.
    In the Notifications To field you can optionally enter a different email address.
    To disable email notifications set Failure Notification to 0.
    change email notification settings 

  • Sample email sent when a brute force attack is happening.
    Note! There is no need to worry when receiving this type of email. It simply shows that the plugin is working as it should.
    sample email notification 

  • You can change the settings for Idle Timeout.
    We find the default settings are a bit low, and recommend you set it to 60 or 120 (1 or 2 hours).
    If you are the only person using the administrative interface you can disable the timeout by setting the value to 0.
    idle timeout setting 

  • Idle Timeout in action.
    idle timeout in action 

Recommendation

We recommend that you use the Wordfence Security plugin. This plugin also provides protection against brute force attacks, but it does not enforce password strength or allow you to reset all user passwords.

Do you have user registration enabled on your site?

Or do you allow other people to contribute content to your site using their own logins?

If you answered yes to one of those questions we recommend that you use Login Security Solution in addition to Wordfence to strengthen your user management.

If you are the only person logging in to your WordPress site you do not need to use the Login Security Solution – Wordfence will be fine. Of course you still need to use a good password management solution with strong passwords – see Password Management.

Further Resources

Related articles:

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: Semisecure Login Reimagined
Previous article: WordPress Update Notifications[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!


About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.


Most Popular Articles – All Time

Most Popular Articles – This Week

Comments

  1. Will this plugin interfere with WordFence?

    • No problems at all.

      • Thanks Anders. Hopefully this will stop this hacker from trying to enter my site. Sadly, I have received over 100 emails since 8 AM with someone trying to login. Each IP address is different.

        • Yes, that seems to be a new way of executing brute force attacks – orchestrated attacks using many different IP’s.

          Make sure you use a really long and difficult password. (See Password Managemet for tips).

          You might also want to read this topic posted on our forum.

          If they are using invalid user names you can also enable the Wordfence option Immediately lock out invalid usernames, which will block each IP after the first attempt using a fake userid. Might make them run out of IP addresses. Just be careful not to type in a wrong username yourself when you log in :-)

          • I change my password weekly. I use a very long password. I have enabled that option in Wordfence but I wanted to feel more secure. I was able to add my ip address to the whitelist for WordFence. Thanks for all your help.

      • If I use Wordfence for brute force attacks, is better if I disable the brute force protection of Login Security Solution? If yes, how do that?

Speak Your Mind

   Login Using:

*

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax