The WP Login Security 2 plugin adds an extra layer of security to your login process.
Plugin Page: http://wordpress.org/extend/plugins/wp-login-security-2/
Why WP Login Security 2 Is Important
WP Login Security 2 intelligently adds another layer of security to the login process.
The plugin keeps track of the IP addresses used by administrators. If an administrator tries to login from an unknown IP address an activation link is emailed to the registered email address of the administrator. Until the activation link is clicked the administration panel is blocked.
Even if someone steals your WordPress user name and password they will be unable to login unless they also have access to your email.
How You Complete This Security Checkpoint
Add and Activate the plugin.
-
The default settings are fine.
- When you login from a new IP address you will see this message.
- An email with the activation link will be sent to your email address:
|
Subject: [My Website] WP Login Security Alert
Someone has logged in with the below information from an IP we haven’t seen before.
User: admin IP: xxx.xxx.xxx.xxx URL: http://www.mywebsite.com/wp-admin/
To authorize this IP address, please click the following link: http://www.mywebsite.com/wp-login.php?action=registerip&wpls_ipkey=d41d8cd98fasdfas98837498ecf8427e |
-
To whitelist the new IP address click on the link and login again.
-
From now on when you log in from this IP address you will allowed in straight away.
Recommendation
In case you experience difficulties logging in you can always disable this plugin by renaming (or removing) the plugin folder wp-content/plugins/wp-login-security-2.
Further Resources
There are three other two factor authentication plugins you might want to consider.
Note! We have not tested these plugins.
Second factor
Plugin Page: http://wordpress.org/extend/plugins/second-factor/
Second factor adds another layer to the login process making it more secure.
The first factor is your user name and password. This plugin will email a one time code to the users email address. This code has to be entered before the login is complete.
Even if someone gets your user name and password they will be unable to login unless they also have access to your email.
Google Authenticator
Plugin Page: http://wordpress.org/extend/plugins/google-authenticator/
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
You may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on your Gmail or Google Apps account.
The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.
Duo Two-Factor Authentication
Plugin Page: http://wordpress.org/extend/plugins/duo-wordpress/
This plugin enables Duo Security’s two-factor authentication for WordPress logins.
Duo provides simple two-factor authentication as a service via:
-
Phone callback
-
SMS-delivered one-time passcodes
-
Duo mobile app to generate one-time passcodes
-
Duo mobile app for smartphone push authentication
-
Duo hardware token to generate one-time passcodes
Follow The White Rabbit
Then you can find your next article below.
If not you should take a look at the Table Of Contents.
Next article: AntiVirus
Previous article: Semisecure Login Reimagined
Questions Or Comments?
Please leave them below. Thanks!
About Anders Vinther
When I install this plugin, I get the following alert at the top of my WP panel:
Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /home/michaelf/public_html/wp-admin/includes/template.php:1642)
Please see this post.
Despite implementing all of the steps you detail, this morning I had a new admin account (unauthorized) that had been created for my blog. The plugin above did not alert me. I have deleted the new account and changed my passwords, but like that evil 64 thing it will be probably be back.
Hi Mike,
I am sorry to hear that your site was compromised.
It is important to understand that your sites will never be 100% secure. However if you implement the security measures we recommend you will be in a good position to detect the compromise quickly and restore your site.
If you are using Sucuri I strongly recommend that you let them clean up the site for you. They are very skilled in this, and if they clean up your site you are pretty sure everything has been cleaned. Also they might be able to pinpoint how the compromise happened.
If you are not currently using Sucuri and your site has been compromised we strongly recommend that you sign up with them and have them clean your site. The price for a one year subscription is easily saved in time when they take care of the clean up for you. And they will most likely do a better job too.
You can find our article on Sucuri here.
In WordFence you can enable the option “Alert me when someone with administrator access signs in” which will send you an email if something like this happens again.
The link at the beginning of the post takes to WP Login Security page and not to WP Login Security 2
Thanks for the tip…
WP Login Security 2 will not work on my thesis theme wordpress blog – can you offer an equal alternative for securing out log in?
What happens when you use the plugin?
Sorry, that I did not see this sooner…
The plugin had to be removed (I tried it 3 different time) before I could log in, it would send the email, I would click on the link then try to log in but it would only repeat the process as if my IP had changed since the email (it had not), and repeat. I had to go delete the plugin on my server before I could login.
This would be a great plugin if it worked correctly.