Lockdown WP Admin plugin review

Lockdown WP Admin plugin review

Lockdown WP Admin

“Lockdown WordPress Admin”
or shortly “Lockdown WP Admin” plugin for WordPress is one of plugins concerned WordPress security enhancement. You can locate it at the WordPress repository. Plugin author is Sean Fisher. Last version available for the moment of writing this review is 1.6.
Lets go and see step by step what this plugin offers to the WordPress adminstrator to make WordPress more secure.
1st, “Lockdown WP admin” hides wp-admin directory from the un-logged-in visitor. Such visitor will get 404 page not found HTTP error in its browser if he requests http://yourblogdomain/wp-admin/ URL.
In order to activate this feature turn on “Yes, please hide WP Admin from the user when they aren’t logged in” checkbox via the “Lockdown WP” menu item at the “Lockdown WP” submenu of your WordPress administrator dashboard. I tested it on two WordPress installations (local and remote one hosted at the shared 1and1.com hosting. Tests were successful in both cases. Conclusion: this useful feature works.
Lockdown WP Admin Settings

Lockdown WP Admin Settings

The second way to login into WordPress beside of sending request to wp-admin folder directly is WordPress login link – wp-login.php by default. So we came to the
2nd, “Lockdown WP admin” can change your blog login link, thus it could be e.g. http://yourblog/secretloginlink/ instead of http://yourblog/wp-login.php by default. Tested. Conclusion: This feature works also.
Two useful features described above could help you protect your blog from the brute force attacks.

Last feature is concerned of mechanism of HTTP authentification for users of your blog. The idea is interesting. If you turn on this feature and select “WordPress Login Credentials” option then you should not modify manually your .htaccess or .htpasswd files, etc. Due to this plugin server during realizing HTTP authentication will check user’s login and password from his WordPress user account. It’s quit good and interesting idea, as using direct .htaccess, .htpasswd technique is not possible if you have multi-users access to your admin back-end. It’s difficult to support such password database manually.
Other option is to use separate user name and password for HTTP authentication. You can add/delete users to such list via “Private users” menu item at the “Lockdown WP” submenu.

Lockdown WP admin private users

Lockdown WP admin private users

In case something goes wrong with HTPP authentification plugin has a feature to discard this option without deleting the plugin itself. You may put the empty ‘disable_auth.txt’ file into plugin directory for that.

I had problems with HTPP authentification here. HTPP authentification feature worked at my local test installation, but it didn’t work at site located on 1and1.com hosting. Furthermore, HTTP authentification took place not before showing WordPress login form, but just after. That is WordPress checks user name and password, tells you or intruder if user name and password valid or not and show HTPP authentification popup window just after that. That is the main purpose of using HTTP authentification – prevent blog from brute force passwod cracking attacks – is not fulfilled here. If intruder gets valid WordPress username and password via software bot then he may login with manual input of user credentials into HTPP authentification popup window.

According to written above I don’t recomend you to use the HTTP authentification feature offered by “Lockdown WP admin” plugin.

PHP code is accurate and well commented. It is a plus. The big minus I found reading PHP code is the spyware feature which this plugin includes.
Warning! Once a week if user update plugin’s settings “Lockdown WP admin” plugin sends valuable information to plugin’s author site. URL is http://labs.talkingwithsean.com/lockdown-api/main/send/
Let’s see on the example of data which is sent to the external server:
[ld_admin_version] => 1.5
[server] => www.shinephp.my
[request_url] => /wp-admin/admin.php?page=lockdown-wp-admin
[wordpress_version] => 3.1.3
[url] => http://www.shinephp.my
[charset] => UTF-8
[login_base] => your-secret-login-directory-here
[ld_http_auth] => none
[ld_hide_wp_admin] => yep
[permalink_structure] => /%postname%
[server_software] => Apache/2.2.14 (Ubuntu)
[query_string] => page=lockdown-wp-admin
[wp_version] => 3.1.3

I’m sure if plugin author needs such information he should give to the user the choice, ask his permission for sending these data. I don’t see that ‘Lockdown WP admin’ works a such way. So if you plan to use this useful in general plugin and don’t wish to send your data to the external server, you should comment the line #505, 506, 507 at the ‘lock-down-wp-admin.php’ file. Look at the code fragment below for your reference:

 // The stats
	$check_stats_sent = get_transient('ld_send_stats');
	if ( !$check_stats_sent )

Method which send your data to the plugin’s author is:

	 * Send stats
	 * Send anyomous stats to help out the development of the plugin.
	 * This should be pretty temporary.
	 * @access private
	public function send_stats()
		global $wp_version;
		$to_post = array(
			'ld_admin_version'	=>	$this->ld_admin_version,
			'server'			=>	$_SERVER['HTTP_HOST'],
			'request_url'		=>	$_SERVER['REQUEST_URI'],
			'wordpress_version'	=>	$wp_version,
			'url'				=>	get_bloginfo( 'url' ),
			//	I reconsidered this..
			//	'admin_email'		=>	get_bloginfo('admin_email'),
			'charset'			=>	get_bloginfo('charset'),
			'login_base'		=>	$this->login_base,
			'ld_http_auth'		=>	get_option('ld_http_auth'),
			'ld_hide_wp_admin'	=>	get_option('ld_hide_wp_admin'),
			'permalink_structure'	=>	get_option('permalink_structure'),
			'server_software'		=> $_SERVER['SERVER_SOFTWARE'],
			'query_string'			=> $_SERVER['QUERY_STRING'],
			'wp_version'			=>	$wp_version,
		if ( function_exists('got_mod_rewrite '))
			$to_post['got_mod_rewrite '] = got_mod_rewrite();
		$options = array(
			'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3),
			'body' => array( 'data' => serialize( $to_post ) ),
			'user-agent' => 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' )
		$raw_response = wp_remote_post('http://labs.talkingwithsean.com/lockdown-api/main/send/', $options);
		//	Set that we sent it
		set_transient('ld_send_stats', 'true', 604800);
		//	What'd they respond?
		if ( is_wp_error( $raw_response ) )
			return FALSE;
		if ( 200 != $raw_response['response']['code'] )
			return FALSE;
		$response = json_decode( unserialize( $raw_response['body'] ) );
		if ( !is_array( $response ) )
			return FALSE;

As we can see from the comments to the method above it is included to plugin temporarily. But there is nothing more permanent than something temporary. In any case plugin user should know if his data is sent anywhere.

Text above is about version 1.6. After 3 days only after this post publication Sean Fisher published version 1.7 which is free from sending data to the external site functionality. I compared 1.6 and 1.7 versions with diff tool and confirm that send_stats() method was removed from the code. Thanks to Sean for so fast release of the updated code.

Tags: , , ,

  • Several users were having issues with getting the hidden path setup. These were only temporarily put in so we could have an understanding of the issues that user’s are having. They were just taken out in 1.7. Nothing was violated.

  • Also, if we added the HTTP auth to the wp-login.php screen, it would remove the user’s ability to request a new password. We might be adding this in a future release, but that is based upon my own time constraints.


  • Thank you Sean for so fast and positive reaction. I confirm here that version 1.7 has not statistics sending functionality anymore. I will add the sentence about it into my post.

  • Есть сообщения об ошибках? Может быть в логах.
    Попробуйте выставить 1 для WP_DEBUG в wp-config.php
    Видимой информации о неполадках должно стать больше.

  • Jason

    Always providing the best information ever! This was exactly what I was looking for to protect my wp-admin login. However, Vladimir, could always do a review on another one I found called “Hide Login” plugin.

    I found this one to be always identical in the setting screenshot to “Stealth Login.”

    But in terms of which one is better…Lockdown WP Admin VS Hide Login…would you recommend me in pros and cons.

    Thanks a bunch.

  • Thanks for a post request. I will take a look on ‘Hide Login’ plugin and share my conclusion with you publishing next review for ‘Hide Login’.

  • Jason


    Another thing Vladimir, I have this Lockdown WP Admin being used. It is a decent plugin protecting the “wp-admin,” and as a plus, it doesn’t mess with htacess file to work; however, it doesn’t protect against when I type the actual file itself “wp-loghin.php.”

    Anybody using WordPress knows about typing “wp-admin” to access the login page to attempt force login, but then there are those who knows about “wp-login.php” as an alternative direct link to the file.

    Therefore, even with this plugin, people can still access the login page with “wp-login.php.”

    What do you recommend for this? Is there another plugin that does this protecting both “wp-admin and “wp-login.php”…protecting the login page completely (preferably without updating the htacess file?

  • I made some tests and I do not recommend to use Hide Login plugin in its current state.
    It still has problem with ‘logout’ tag as its ancestor ‘Stealth Login’ on which code it is built. Moreover if you turn on WordPress permalink structure usage you will lost your blog – login feature will stop working while you don’t restore .htaccess to its original state.As about your second question, I don’t know decision for this moment.

  • Jason

    Well, thanks for your response! Very much appreciated!

  • Сергей Севрюгин

    Я перенес сайт на другой хостинг. Домен тот же. Сам сайт работает, но зайти в админку уже не могу. Удаление плагина не помогает. Размещение файла по документации плагина, который отключает его – не работает. Изменения в таблице wp_options тоже не помогают. Удаление плагина так же не позволяет зайти в админку. Что теперь делать — сайт мертв?

  • A@biskar

    Hey i did a silly mistake!!!! i installed everything and under HTTP Authentication i choosed Private user and password and saved the settings..immediately it asked for http authentication in current admin page….Now i am locked here..What is the default password for http authentication???? somehow i deleted the file from plugins folder but still after removal i installed again and the same thing happened ..May be some settings have been applied till now…..Sorry for the silly mistake…Please help me

  • Plugin author recommends this in plugin FAQ:

    – How can I get back in if Lockdown WP Admin locked me out?

    You can create a .txt file named ‘disable_auth.txt’ in your wp-content/plugins/lockdown-wp-admin/ folder (The file location would be /wp-content/plugins/lockdown-wp-admin/disable_auth.txt). We don’t care about the content but that will disable the HTTP Auth and whatever was locking you out of your site.

  • A@biskar

    Thanks I got it…