Lockdown WP Admin plugin review

Lockdown WP Admin plugin review

Lockdown WP Admin


“Lockdown WordPress Admin”
or shortly “Lockdown WP Admin” plugin for WordPress is one of plugins concerned WordPress security enhancement. You can locate it at the WordPress repository. Plugin author is Sean Fisher. Last version available for the moment of writing this review is 1.6.
Lets go and see step by step what this plugin offers to the WordPress adminstrator to make WordPress more secure.
1st, “Lockdown WP admin” hides wp-admin directory from the un-logged-in visitor. Such visitor will get 404 page not found HTTP error in its browser if he requests http://yourblogdomain/wp-admin/ URL.
In order to activate this feature turn on “Yes, please hide WP Admin from the user when they aren’t logged in” checkbox via the “Lockdown WP” menu item at the “Lockdown WP” submenu of your WordPress administrator dashboard. I tested it on two WordPress installations (local and remote one hosted at the shared 1and1.com hosting. Tests were successful in both cases. Conclusion: this useful feature works.
Lockdown WP Admin Settings

Lockdown WP Admin Settings


The second way to login into WordPress beside of sending request to wp-admin folder directly is WordPress login link – wp-login.php by default. So we came to the
2nd, “Lockdown WP admin” can change your blog login link, thus it could be e.g. http://yourblog/secretloginlink/ instead of http://yourblog/wp-login.php by default. Tested. Conclusion: This feature works also.
Two useful features described above could help you protect your blog from the brute force attacks.

Last feature is concerned of mechanism of HTTP authentification for users of your blog. The idea is interesting. If you turn on this feature and select “WordPress Login Credentials” option then you should not modify manually your .htaccess or .htpasswd files, etc. Due to this plugin server during realizing HTTP authentication will check user’s login and password from his WordPress user account. It’s quit good and interesting idea, as using direct .htaccess, .htpasswd technique is not possible if you have multi-users access to your admin back-end. It’s difficult to support such password database manually.
Other option is to use separate user name and password for HTTP authentication. You can add/delete users to such list via “Private users” menu item at the “Lockdown WP” submenu.

Lockdown WP admin private users

Lockdown WP admin private users


In case something goes wrong with HTPP authentification plugin has a feature to discard this option without deleting the plugin itself. You may put the empty ‘disable_auth.txt’ file into plugin directory for that.

I had problems with HTPP authentification here. HTPP authentification feature worked at my local test installation, but it didn’t work at site located on 1and1.com hosting. Furthermore, HTTP authentification took place not before showing WordPress login form, but just after. That is WordPress checks user name and password, tells you or intruder if user name and password valid or not and show HTPP authentification popup window just after that. That is the main purpose of using HTTP authentification – prevent blog from brute force passwod cracking attacks – is not fulfilled here. If intruder gets valid WordPress username and password via software bot then he may login with manual input of user credentials into HTPP authentification popup window.

According to written above I don’t recomend you to use the HTTP authentification feature offered by “Lockdown WP admin” plugin.

PHP code is accurate and well commented. It is a plus. The big minus I found reading PHP code is the spyware feature which this plugin includes.
Warning! Once a week if user update plugin’s settings “Lockdown WP admin” plugin sends valuable information to plugin’s author site. URL is http://labs.talkingwithsean.com/lockdown-api/main/send/
Let’s see on the example of data which is sent to the external server:
[ld_admin_version] => 1.5
[server] => www.shinephp.my
[request_url] => /wp-admin/admin.php?page=lockdown-wp-admin
[wordpress_version] => 3.1.3
[url] => http://www.shinephp.my
[charset] => UTF-8
[login_base] => your-secret-login-directory-here
[ld_http_auth] => none
[ld_hide_wp_admin] => yep
[permalink_structure] => /%postname%
[server_software] => Apache/2.2.14 (Ubuntu)
[query_string] => page=lockdown-wp-admin
[wp_version] => 3.1.3

I’m sure if plugin author needs such information he should give to the user the choice, ask his permission for sending these data. I don’t see that ‘Lockdown WP admin’ works a such way. So if you plan to use this useful in general plugin and don’t wish to send your data to the external server, you should comment the line #505, 506, 507 at the ‘lock-down-wp-admin.php’ file. Look at the code fragment below for your reference:

504
505
506
507
 // The stats
	$check_stats_sent = get_transient('ld_send_stats');
	if ( !$check_stats_sent )
	  $this->send_stats();

Method which send your data to the plugin’s author is:

        /**
	 * Send stats
	 *
	 * Send anyomous stats to help out the development of the plugin.
	 * This should be pretty temporary.
	 * @access private
	**/
	public function send_stats()
	{
		global $wp_version;
 
		$to_post = array(
			'ld_admin_version'	=>	$this->ld_admin_version,
			'server'			=>	$_SERVER['HTTP_HOST'],
			'request_url'		=>	$_SERVER['REQUEST_URI'],
			'wordpress_version'	=>	$wp_version,
			'url'				=>	get_bloginfo( 'url' ),
			//	I reconsidered this..
			//	'admin_email'		=>	get_bloginfo('admin_email'),
			'charset'			=>	get_bloginfo('charset'),
			'login_base'		=>	$this->login_base,
			'ld_http_auth'		=>	get_option('ld_http_auth'),
			'ld_hide_wp_admin'	=>	get_option('ld_hide_wp_admin'),
			'permalink_structure'	=>	get_option('permalink_structure'),
			'server_software'		=> $_SERVER['SERVER_SOFTWARE'],
			'query_string'			=> $_SERVER['QUERY_STRING'],
			'wp_version'			=>	$wp_version,
		);
 
		if ( function_exists('got_mod_rewrite '))
			$to_post['got_mod_rewrite '] = got_mod_rewrite();
 
		$options = array(
			'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
			'body' => array( 'data' => serialize( $to_post ) ),
			'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
		);
 
		$raw_response = wp_remote_post('http://labs.talkingwithsean.com/lockdown-api/main/send/', $options);
 
		//	Set that we sent it
		set_transient('ld_send_stats', 'true', 604800);
 
		//	What'd they respond?
		if ( is_wp_error( $raw_response ) )
			return FALSE;
 
		if ( 200 != $raw_response['response']['code'] )
			return FALSE;
 
		$response = json_decode( unserialize( $raw_response['body'] ) );
 
		if ( !is_array( $response ) )
			return FALSE;
 
	}
}

As we can see from the comments to the method above it is included to plugin temporarily. But there is nothing more permanent than something temporary. In any case plugin user should know if his data is sent anywhere.

Text above is about version 1.6. After 3 days only after this post publication Sean Fisher published version 1.7 which is free from sending data to the external site functionality. I compared 1.6 and 1.7 versions with diff tool and confirm that send_stats() method was removed from the code. Thanks to Sean for so fast release of the updated code.

Tags: , , ,

  • http://talkingwithsean.com Sean Fisher

    Several users were having issues with getting the hidden path setup. These were only temporarily put in so we could have an understanding of the issues that user’s are having. They were just taken out in 1.7. Nothing was violated.

  • http://talkingwithsean.com Sean Fisher

    Also, if we added the HTTP auth to the wp-login.php screen, it would remove the user’s ability to request a new password. We might be adding this in a future release, but that is based upon my own time constraints.

    Sean

  • http://shinephp.com Vladimir Garagulya

    Thank you Sean for so fast and positive reaction. I confirm here that version 1.7 has not statistics sending functionality anymore. I will add the sentence about it into my post.

  • http://shinephp.com Vladimir Garagulya

    Есть сообщения об ошибках? Может быть в логах.
    Попробуйте выставить 1 для WP_DEBUG в wp-config.php
    Видимой информации о неполадках должно стать больше.

  • Jason

    Always providing the best information ever! This was exactly what I was looking for to protect my wp-admin login. However, Vladimir, could always do a review on another one I found called “Hide Login” plugin.

    I found this one to be always identical in the setting screenshot to “Stealth Login.”

    But in terms of which one is better…Lockdown WP Admin VS Hide Login…would you recommend me in pros and cons.

    Thanks a bunch.

  • http://shinephp.com Vladimir Garagulya

    Thanks for a post request. I will take a look on ‘Hide Login’ plugin and share my conclusion with you publishing next review for ‘Hide Login’.

  • Jason

    GREAT!

    Another thing Vladimir, I have this Lockdown WP Admin being used. It is a decent plugin protecting the “wp-admin,” and as a plus, it doesn’t mess with htacess file to work; however, it doesn’t protect against when I type the actual file itself “wp-loghin.php.”

    Anybody using WordPress knows about typing “wp-admin” to access the login page to attempt force login, but then there are those who knows about “wp-login.php” as an alternative direct link to the file.

    Therefore, even with this plugin, people can still access the login page with “wp-login.php.”

    What do you recommend for this? Is there another plugin that does this protecting both “wp-admin and “wp-login.php”…protecting the login page completely (preferably without updating the htacess file?

  • http://shinephp.com Vladimir Garagulya

    I made some tests and I do not recommend to use Hide Login plugin in its current state.
    It still has problem with ‘logout’ tag as its ancestor ‘Stealth Login’ on which code it is built. Moreover if you turn on WordPress permalink structure usage you will lost your blog – login feature will stop working while you don’t restore .htaccess to its original state.As about your second question, I don’t know decision for this moment.

  • Jason

    Well, thanks for your response! Very much appreciated!