外掛說明

Out of the box, WordPress allows unlimited attempts to log in. This opens up opportunities for attackers to crack passwords simply by trying over and over again. This kind of attack is called brute-force, and Protect Login mitigates this by slowing down the login after a series of subsequent failed attempts.

But we did not stop there. We’re also working on ways to improve the security of your WordPress passwords. Currently, we do this by allowing you to enforce a password policy to make sure your users don’t use weak passwords for their accounts.

安裝方式

Upload the plugin files to the /wp-content/plugins/protect-login directory, or install the plugin through the WordPress plugins screen directly.
Activate the plugin through the ‘Plugins’ screen in WordPress.
The default settings will be applied automatically. To change them, navigate to Settings > Protect Login

常見問題集

Who are you folks?

We’re Thomas and Simon, two WordPress enthusiasts, with the dearing crazy idea to offer a good plugin without asking for your money or attention.

Our initial work on Protect Login was sponsored by group.one.

Why did you build this plugin?

We care about WordPress and keeping WordPress sites secure. So we decided it was time to take the code of the original Limit Login Attempts plugin and build on top of it.
We did this for you. Protect Login is 100% free and will not bother you with nasty upsells or scare marketing. You have better things to do, don’t you?

Why not reset failed attempts on a successful login?

This is very much by design. Otherwise, you could simply brute force the “admin” password by logging in as your own user every 4th attempt.

How do I know if my site is behind a reverse proxy?

If you’re not sure about this, chances are your site is not behind a reverse proxy. However, Protect Login’s settings offer an option to activate proxy mode.
A reverse proxy is a server between the site and the Internet (perhaps handling caching or load-balancing). This makes getting the correct client IP to block slightly more complicated.

Can I put my IP on an allowlist to avoid getting locked out?

Yes, there is an allowlist tab in Protect Login’s settings.

I locked myself out while testing this plugin; what do I do?

Either wait until your account/IP is unblocked, or if you have FTP or SSH access to the site, rename it “wp-content/plugins/protect-login” to deactivate the plugin.

Do you support IPv6 addresses?

Yes, if the webserver passes an IPv6 address to your WordPress installation, the plugin has no problems to handle IPv6 from 1.2.0.

使用者評論

Michael 2024 年 11 月 20 日

Compared to “Limit Login Attempts Reloaded”, it makes a lean and clear impression without any frills. PS: After several weeks of use, I can say that it works reliably on multiple websites.

Jonas 2024 年 9 月 22 日

It does exactly what it’s supposed to.Thank you for this plugin. It’s very nice not to be bombarded with ads.

閱讀全部 2 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈Protect Login〉的開發相關工作。

〈Protect Login〉外掛目前已有 1 個本地化語言版本。感謝全部譯者為這個外掛做出的貢獻。

將〈Protect Login〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣？

任何人均可瀏覽程式碼、查看 SVN 存放庫，或透過 RSS 訂閱開發記錄。

變更記錄

1.4.7

Bugfix: Fixed Bug in at-a-glance widget

1.4.6

Migration path of password strength rules
Tested with WordPress 6.8
Improvement: Added description texts to blocklist, allowlist and blocked-addresses list
Improvement: Added Copy-to-Clipboard for Remote API settings
Improvement: One-Click auto-generate for Remote API key

1.4.5

Bugfix: Error message “Invalid credentials” was displayed, when wp-login.php ist called directly or hidden by renaming of Admin Login URL

1.4.4

Bugfix: Fixed issue an invalid login was recognize on logging out from WP
Bugfix: Fixes issue error message always was “too many failed login attempts” even when it was the first trial

1.4.3

Bugfix: Fixed button “Add IP address to allowlist and release”
Bugfix: Fixed displaying setting in “At a glance widget”

1.4.2

Removed “Your IP address” on blocklist tab
Added headlines on allowlist, blocklist and blocked ip addresses
Removed .github dir

1.4.1

Bugfix: Fixed issue that prevented “Add own ip address to allowlist” from working
Auto re-create WP sessions on activating plugin
Bugfix: Fixed issue on creating session cookie on multisite

1.4.0

Automatically clean up the locked-out list a week after IP addresses have been cleared
Improve the design of empty IP lists
Add own IP v6 / IPv6 – Address to allowlist
Check for blocked IP on XML-RPC
Bugfix: Fixed issues that prevented the plugin from discovering that it runs on a multisite
Bugfix: Compatibility fixes to PHP 7.4
Bugfix: Removed ending slashes from Rest API namespaces

1.3.1

Bugfix: Improved error handling if non-numeric value is stored in wp_options
Cleanup: Removed leading whitespace in translation file for widget
Bugfix: Settings visible on multisite if name of the plugin directory is not “protect-login”
Bugfix: An error occurred on WP multisites with enabled WP_DEBUG, because of too early load of translation files
Moved “settings” sections to admin_init – action
WP 6.7 compatibility

1.3.0

Count of currently locked-out address visible in “At a glance” Widget
Fixed bug on activation plugin through wp-cli in a multisite environment
Remote API support
Improved multisite support

1.2.0

IPv6 support
Endpoints for WP-CLI
Added filter for password strength
“Settings” link in plugin overview
Bugfix: string “password too short” erroneous appeared in Quick Draft widget, removed.

1.1.1

Removed unused strings
Added translator comments
Restructured some strings for easier translations

1.1.0

Tested with WordPress 6.6
Added Multisite Support
Added filters to set protection levels programmatically
Fixed issue with timestamps always using UTC

1.0.1

Fixed minor bugs

1.0

Initial version
based on Limit Login Attempts 1.7.1 by Johan Eenfeldt

The plugin makes a lean and clear impression!

It does exactly what it should