外掛說明
這個外掛能透過一般登入及驗證 Cookie 的方式,限制嘗試登入的次數。
依照預設,WordPress 網站並未限制登入頁面的登入嘗試次數,也並未限制傳送特殊 Cookie 進行登入,這便使得密碼及雜湊碼暴力破解會相對容易成功。
Limit Login Attempts 在達到指定次數的登入嘗試次數後,便會封鎖來自該 IP 位址的進一步嘗試,從而使暴力破解變得更加困難。
外掛特色
- 以每個 IP 位址為準,限制登入嘗試次數,並包含完整的設定
- 以相同方式限制使用驗證 Cookie 的登入嘗試次數
- 在登入頁面提醒使用者剩餘嘗試次數或登入鎖定時間
- 選擇性的操作記錄及電子郵件通知
- 能處理位於反向 Proxy 後方的伺服器
- 可使用自訂 IP 位址允許清單避開封鎖,但真的不建議這麼做 🙂
本地化版本介面:保加利亞文、巴西葡萄牙文、加泰隆文、台灣繁體中文、捷克文、荷蘭文、芬蘭文、法文、德文、匈牙利文、挪威文、波斯文、羅馬尼亞文、俄文、西班牙文、瑞典文、土耳其文。
外掛僅使用 WordPress 內建的標準動作及篩選器。
安裝方式
- 下載外掛壓縮檔並進行解壓縮,然後將解壓縮所得的資料及其內所有檔案上傳至
wp-content/plugins
目錄中。 - 透過 WordPress 管理後台啟用外掛。
- 請於外掛設定頁面進行自訂設定。如果已知網站主機位於反向 Proxy 後方,請在設定頁面中選取對應設定。
如有任何疑問或程式碼錯誤,請前往外掛的技術支援論壇提出。
常見問題集
-
為何不在成功登入時重設嘗試登入失敗的次數?
-
因為這樣才符合安全性設計。如果網站上有人成功登入就重設嘗試登入失敗次數,便會增加暴力破解可嘗試的次數。
-
網站連線及反向 Proxy 的設定用途為何?
-
反向 Proxy 位於網站主機與網際網路間的伺服器 (例如居中負責處理快取或負載平衡的伺服器)。網站主機位於反向 Proxy 後方,會讓「取得正確的用戶端 IP 位址加以封鎖」這項工作稍微複雜一些。
這項設定的預設值為 [直接連線],這該是最適用多數環境的設定值。
-
如何得知網站位於反向 Proxy 後方?
-
網站主機的確可能不在反向 Proxy 後方,也可能在其後方,但這個外掛的設定提供了對多數環境最適用的預設值。除非網站管理員很清楚主機相關設定,否則請保留預設值 [直接連線]。
-
網站管理員可以在自建的允許清單中加入自己的 IP 位址,以避免遭到鎖定嗎?
-
請先考慮這麼做是否有其必要性,在安全性原則中設有例外狀況,一般來說並不是好的做法。
但這也表示,
limit_login_whitelist_ip
篩選器可以讓網站管理員達成這個目的。範例:
function my_ip_whitelist($allow, $ip) {
return ($ip == ‘my-ip’) ? true : $allow;
}
add_filter(‘limit_login_whitelist_ip’, ‘my_ip_whitelist’, 10, 2);請注意,外掛仍會如常進行通知及記錄,這能讓網站管理員瞭解列入允許清單的 IP 位址有無任何可疑的登入行為。
-
網站管理員登入遭到鎖定,該怎麼辦?
-
請等待至鎖定時間結束,或以以下方式處理:
如果知道如何編輯/新增 PHP 檔案,網站管理員可透過上述方式建立 IP 位址允許清單。網站管理員透過允許清單解除鎖定並完成登入後,請至外掛設定頁點擊 [解除登入鎖定],並移除允許清單相關程式碼。
如果可以透過 FTP/SFTP 存取網站主機,請為
wp-content/plugins/limit-login-attempts/
中的limit-login-attempts.php
變更檔案名稱,藉以停用外掛。如果可以存取網站資料庫 (例如透過 phpMyAdmin),網站管理員可以在 WordPress 的
options
資料表 (資料表前置詞因網站設定而異) 中清除limit_login_lockouts
欄位的值藉以解除鎖定。依照預設設定資料表前置詞為 wp 的狀況下,這裡所列的 SQL 語法該可以完成清除操作:UPDATE wp_options SET option_value = 'a:0:{}' WHERE option_name = 'limit_login_lockouts'
。
使用者評論
參與者及開發者
變更記錄
1.7.2
Security fixes.
1.7.1
This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.
“Auth cookies” are special cookies set at login that authenticating you to the system. It is how WordPress “remembers” that you are logged in between page loads.
During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.
Lockout of normal password login attempts still worked as it should, and it appears that all “auth cookie” attempts would keep getting logged.
In theory the “auth cookie” is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.
1.7.0
- Added filter that allows whitelisting IP. Please use with care!!
- Update to Spanish translation, thanks to Marcelo Pedra
- Updated Swedish translation
- Tested against WordPress 3.3.2
1.6.2
- Fix bug where log would not get updated after it had been cleared
- Do plugin setup in ‘init’ action
- Small update to Spanish translation file, thanks to Marcelo Pedra
- Tested against WordPress 3.2.1
1.6.1
- (WordPress 3.0+) An invalid cookie can sometimes get sent multiple times before it gets cleared, resulting in multiple failed attempts or even a lockout from a single invalid cookie. Store the latest failed cookie to make sure we only count it as one failed attempt
- Define “Text Domain” correctly
- Include correct Dutch tranlation file. Thanks to Martin1 for noticing. Thanks again to Bjorn Wijers for the translation
- Updated POT file for this version
- Tested against WordPress 3.1-RC4
1.6.0
- Happy New Year
- Tested against WordPress 3.1-RC1
- Plugin now requires WordPress version 2.8+. Of course you should never ever use anything but the latest version
- Fixed deprecation warnings that had been piling up with the old version requirement. Thanks to Johannes Ruthenberg for the report that prompted this
- Removed auth cookie admin check for version 2.7.
- Make sure relevant values in $_COOKIE get cleared right away on auth cookie validation failure. There are still some problems with cookie auth handling. The lockout can trigger prematurely in rare cases, but fixing it is plugin version 2 stuff unfortunately.
- Changed default time for retries to reset from 24 hours to 12 hours. The security impact is very minor and it means the warning will disappear “overnight”
- Added question to FAQ (“Why not reset failed attempts on a successful login?”)
- Updated screenshots
1.5.2
- Reverted minor cookie-handling cleanup which might somehow be responsible for recently reported cookie related lockouts
- Added version 1.x Brazilian Portuguese translation, thanks to Luciano Passuello
- Added Finnish translation, thanks to Ari Kontiainen
1.5.1
- Further multisite & WPMU support (again thanks to erik@erikshosting.com)
- Better error handling if option variables are damaged
- Added Traditional Chinese translation, thanks to Denny Huang bigexplorations@bigexplorations.com.tw
1.5
- Tested against WordPress 3.0
- Handle 3.0 login page failure “shake”
- Basic multisite support (parts thanks to erik@erikshosting.com)
- Added Dutch translation, thanks to Bjorn Wijers burobjorn@burobjorn.nl
- Added Hungarian translation, thanks to Blint Vereskuti balint@vereskuti.info
- Added French translation, thanks to oVa ova13lastar@gmail.com
1.4.1
- Added Turkish translation, thanks to Yazan Canarkadas
1.4
- Protect admin page update using wp_nonce
- Added Czech translation, thanks to Jakub Jedelsky
1.3.2
- Added Bulgarian translation, thanks to Hristo Chakarov
- Added Norwegian translation, thanks to Rune Gulbrandsy
- Added Spanish translation, thanks to Marcelo Pedra
- Added Persian translation, thanks to Mostafa Soufi
- Added Russian translation, thanks to Jack Leonid (http://studio-xl.com)
1.3.1
- Added Catalan translation, thanks to Robert Buj
- Added Romanian translation, thanks to Robert Tudor
1.3
- Support for getting the correct IP for clients while server is behind reverse proxy, thanks to Michael Skerwiderski
- Added German translation, thanks to Michael Skerwiderski
1.2
- No longer replaces pluggable function when cookie handling active. Re-implemented using available actions and filters
- Filter error messages during login to avoid information leak regarding available usernames
- Do not show retries or lockout messages except for login (registration, lost password pages). No change in actual enforcement
- Slightly more aggressive in trimming old retries data
1.1
- Added translation support
- Added Swedish translation
- During lockout, filter out all other login errors
- Minor cleanups
1.0
- Initial version