Plugin Name: Limit Login Attempts v.1.4.1
Date of review: 10th November 2009
Rating: 4.8
Author profile: Johan Eenfeldt
WordPress plugin directory link: Limit Login Attempts

“Limit Login Attempts” WordPress plugin limits the number of wrong login attempts possible through normal login dialog as well as (for WordPress 2.7+) for cookies authentication mechanism.

You can find the original description of this plugin at the authour’s blog plugin page. I just tell you about my impressions after testing this plugin here.

This plugin is well-made, its code is accurate, easy to read and has detailed comments inside. After testing and investigating the source code I confirm that Limit Login Attempts WordPress plugin operates exactly as declared by its author.
Just for your safety, you can be sure: Limit Login Attempts WordPress plugin is checked by me as an independent developer. This plugin has not any hidden code which make something malicious or not declared by the author in plugin description.

I didn’t meet with bugs during thorough tests I made. Johan (the author) made a good job and continues enhancing his plugin. He made 5 code change releases this year and we can add here the minor updates with translations to the different languages added. More – 2.0beta3 version is available already at http://devel.kostdoktorn.se/limit-login-attempts-2-0beta3
Plugin works pretty good. Thank you, Johan, for the excelent and useful plugin.

What does we have under the hood?

In comparison to the Login lockDown plugin, which was made with the same purpose, “Limit Login Attempts” plugin has some advantages/differencies:

• In addition to the standard login dialog mechanism “Limit Login Attempts” secures with wrong retries limit the WordPress cookie authentication.
• “Limit Login Attempts” has feature to define login IP if it sits behind the Proxi
• “Limit Login Attempts” doesn’t create and use new MySQL tables. It uses standard WordPress wp_options table to store its data. It automatically clears invalid login attempts data after definite time period. With such realization “Limit Login Attempts” has not that imperfection in MySQL data storage and processing manner which “Login lockDown” has. But that imperfection is relative and can be fixed easy in the future version if plugin author desire to make it.
  Technically “Limit Login Attempts” stores IP data in the one option field and load it into array variable at once. In theory we can imagine situation when error can occur for the not enough memory reason: very large users quant and very large daily login attempts quant with wrong tries. As that theoretical situation can be met in real life very rare I will not take it into account in this review and in the rate value.
• Very good thing for “Limit Login Attempts” that it doesn’t advertise itself adding special text to the WordPress Login dialog box as “Login LockDown” plugin does.
• “Limit Login Attempts” has more convenient and flexible options set.

Not so good issues for this plugin:
First of all, concerning the security field, I repeat it again – “Silence is golden”. If you don’t know or remember why, you can read these my previous posts:

Silence is golden
• WordPress Security: Silence is golden. Part 2.

Second, When intruder exhausted invalid login attempts limit, “Limit Login Attempts” shows the special error messages:
“ERROR: Too many failed login attempts. Please try again later”, “Please try again in %d hour”, etc.
It can clearly show to intruder that this blog has “Limit Login Attempts” installation. As the blog owner I prefer to have the option to show this special messages or not. Ideally, my login dialog behaviour must be the same as WordPress default one or little different but the same for all kind of the login errors.
Third, if you try to call limit-login-attempts.php file directly from the browser,
e.g. http://www.yourdomain.com/wp-content/plugins/limiit-login-attempts/limit-login-attempts.php
and php error messages is not turned off on your site, you will see this error message in your browser:
PHP Fatal error: Call to undefined function load_plugin_textdomain() in …\wp-content\plugins\limit-login-attempts\limit-login-attempts.php on line 99
That is bad guy can discover your site real path. If he knows what shared hosting you use, and hosting provider has some security hole in his system, bad guy can reach your site and get it data, control it, etc. relatively easy.
I repeat, plugin author has to check if his script is called under WordPress environment and stop working if somebody tries to call it directly, as stand-alone script. For example, add this code at the beginning of every plugin:

if (!function_exists("get_option")) {
  echo 'Direct call is prohibited';
  die;
}

For this minor defects only I asign this plugin 4.8 rate.

Inspite of some critics, I think that this plugin is the better choice in this niche and for this time. Of course the final choice is for you. I just tried to help you in this not easy selection 🙂

Thanks for the reading,
Vladimir, ShinePHP.com

Tags: Security, WordPress, wordpress plugin review

This entry was posted on Tuesday, November 10th, 2009 at 13:08 and is filed under Security, WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.