Lockdown WP Admin plugin review

Lockdown WP Admin plugin review

Lockdown WP Admin


“Lockdown WordPress Admin”
or shortly “Lockdown WP Admin” plugin for WordPress is one of plugins concerned WordPress security enhancement. You can locate it at the WordPress repository. Plugin author is Sean Fisher. Last version available for the moment of writing this review is 1.6.
Lets go and see step by step what this plugin offers to the WordPress adminstrator to make WordPress more secure.
1st, “Lockdown WP admin” hides wp-admin directory from the un-logged-in visitor. Such visitor will get 404 page not found HTTP error in its browser if he requests http://yourblogdomain/wp-admin/ URL.
In order to activate this feature turn on “Yes, please hide WP Admin from the user when they aren’t logged in” checkbox via the “Lockdown WP” menu item at the “Lockdown WP” submenu of your WordPress administrator dashboard. I tested it on two WordPress installations (local and remote one hosted at the shared 1and1.com hosting. Tests were successful in both cases. Conclusion: this useful feature works.
Lockdown WP Admin Settings

Lockdown WP Admin Settings


The second way to login into WordPress beside of sending request to wp-admin folder directly is WordPress login link – wp-login.php by default. So we came to the
2nd, “Lockdown WP admin” can change your blog login link, thus it could be e.g. http://yourblog/secretloginlink/ instead of http://yourblog/wp-login.php by default. Tested. Conclusion: This feature works also.
Two useful features described above could help you protect your blog from the brute force attacks.

Last feature is concerned of mechanism of HTTP authentification for users of your blog. The idea is interesting. If you turn on this feature and select “WordPress Login Credentials” option then you should not modify manually your .htaccess or .htpasswd files, etc. Due to this plugin server during realizing HTTP authentication will check user’s login and password from his WordPress user account. It’s quit good and interesting idea, as using direct .htaccess, .htpasswd technique is not possible if you have multi-users access to your admin back-end. It’s difficult to support such password database manually.
Other option is to use separate user name and password for HTTP authentication. You can add/delete users to such list via “Private users” menu item at the “Lockdown WP” submenu.

Lockdown WP admin private users

Lockdown WP admin private users


In case something goes wrong with HTPP authentification plugin has a feature to discard this option without deleting the plugin itself. You may put the empty ‘disable_auth.txt’ file into plugin directory for that.

I had problems with HTPP authentification here. HTPP authentification feature worked at my local test installation, but it didn’t work at site located on 1and1.com hosting. Furthermore, HTTP authentification took place not before showing WordPress login form, but just after. That is WordPress checks user name and password, tells you or intruder if user name and password valid or not and show HTPP authentification popup window just after that. That is the main purpose of using HTTP authentification – prevent blog from brute force passwod cracking attacks – is not fulfilled here. If intruder gets valid WordPress username and password via software bot then he may login with manual input of user credentials into HTPP authentification popup window.

According to written above I don’t recomend you to use the HTTP authentification feature offered by “Lockdown WP admin” plugin.

PHP code is accurate and well commented. It is a plus. The big minus I found reading PHP code is the spyware feature which this plugin includes.
Warning! Once a week if user update plugin’s settings “Lockdown WP admin” plugin sends valuable information to plugin’s author site. URL is http://labs.talkingwithsean.com/lockdown-api/main/send/
Let’s see on the example of data which is sent to the external server:
[ld_admin_version] => 1.5
[server] => www.shinephp.my
[request_url] => /wp-admin/admin.php?page=lockdown-wp-admin
[wordpress_version] => 3.1.3
[url] => http://www.shinephp.my
[charset] => UTF-8
[login_base] => your-secret-login-directory-here
[ld_http_auth] => none
[ld_hide_wp_admin] => yep
[permalink_structure] => /%postname%
[server_software] => Apache/2.2.14 (Ubuntu)
[query_string] => page=lockdown-wp-admin
[wp_version] => 3.1.3

I’m sure if plugin author needs such information he should give to the user the choice, ask his permission for sending these data. I don’t see that ‘Lockdown WP admin’ works a such way. So if you plan to use this useful in general plugin and don’t wish to send your data to the external server, you should comment the line #505, 506, 507 at the ‘lock-down-wp-admin.php’ file. Look at the code fragment below for your reference:

504
505
506
507
 // The stats
	$check_stats_sent = get_transient('ld_send_stats');
	if ( !$check_stats_sent )
	  $this->send_stats();

Method which send your data to the plugin’s author is:

        /**
	 * Send stats
	 *
	 * Send anyomous stats to help out the development of the plugin.
	 * This should be pretty temporary.
	 * @access private
	**/
	public function send_stats()
	{
		global $wp_version;
 
		$to_post = array(
			'ld_admin_version'	=>	$this->ld_admin_version,
			'server'			=>	$_SERVER['HTTP_HOST'],
			'request_url'		=>	$_SERVER['REQUEST_URI'],
			'wordpress_version'	=>	$wp_version,
			'url'				=>	get_bloginfo( 'url' ),
			//	I reconsidered this..
			//	'admin_email'		=>	get_bloginfo('admin_email'),
			'charset'			=>	get_bloginfo('charset'),
			'login_base'		=>	$this->login_base,
			'ld_http_auth'		=>	get_option('ld_http_auth'),
			'ld_hide_wp_admin'	=>	get_option('ld_hide_wp_admin'),
			'permalink_structure'	=>	get_option('permalink_structure'),
			'server_software'		=> $_SERVER['SERVER_SOFTWARE'],
			'query_string'			=> $_SERVER['QUERY_STRING'],
			'wp_version'			=>	$wp_version,
		);
 
		if ( function_exists('got_mod_rewrite '))
			$to_post['got_mod_rewrite '] = got_mod_rewrite();
 
		$options = array(
			'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
			'body' => array( 'data' => serialize( $to_post ) ),
			'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
		);
 
		$raw_response = wp_remote_post('http://labs.talkingwithsean.com/lockdown-api/main/send/', $options);
 
		//	Set that we sent it
		set_transient('ld_send_stats', 'true', 604800);
 
		//	What'd they respond?
		if ( is_wp_error( $raw_response ) )
			return FALSE;
 
		if ( 200 != $raw_response['response']['code'] )
			return FALSE;
 
		$response = json_decode( unserialize( $raw_response['body'] ) );
 
		if ( !is_array( $response ) )
			return FALSE;
 
	}
}

As we can see from the comments to the method above it is included to plugin temporarily. But there is nothing more permanent than something temporary. In any case plugin user should know if his data is sent anywhere.

Text above is about version 1.6. After 3 days only after this post publication Sean Fisher published version 1.7 which is free from sending data to the external site functionality. I compared 1.6 and 1.7 versions with diff tool and confirm that send_stats() method was removed from the code. Thanks to Sean for so fast release of the updated code.

Tags: , , ,