This review is made for Login LockDown v.1.5 WordPress plugin.
Date of review: 19th September 2009
Rating:
Author profile: Michael VanDeMar
WordPress plugin directory link: Login LockDown
According to author’s description Login LockDown WordPress plugin adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Plugin records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP range. This helps to prevent brute force password discovery.
After testing and using it on live site I confirm that Login LockDown WordPress plugin really has functionality declared by its author. But plugin has some security and usability issues.
This review does not describe how to install or use this plugin. It is the plugin’s author task. Michael made it well enough at his Bad Neighborhood site. I will tell you how Login LockDown WordPress plugin works for me. What I like, and what I don’t like. I have read this plugin PHP code carefully. I will share with you my opinion about Login LockDown plugin as PHP/MySQL developer myself, discuss with you some security issues of this plugin in this post.
This plugin is well-made, its code is accurate, easy to read, has comments where it is needed. This plugin has not hidden code which make something not declared by the author in plugin description.
For your security: Login LockDown WordPress plugin is checked by independent developer.
I started to use Login LockDown from version 1.3. and I didn’t meet with bugs. Michael (the author) works hard to enhance his plugin. It is updated often:
- ver. 1.5 17-Sep-2009
- ver. 1.4 29-Aug-2009
- ver. 1.3 23-Feb-2009
The most important thing is that author makes security updates. Thank you, Michael, for your good work and useful plugin.
That were all things which I like using this plugin.
What things I don’t like? I will describe it below together with questions/suggestions which I have about Login LockDown plugin.
First of all, concerning the security field, I repeat it again – “Silence is golden”. If you don’t know why, you can read these my previous posts:
Login LockDown plugin to advertise itself adds this text to the WordPress Login dialog box:
Login form protected by Login LockDown.
If bad guy attacking your blog knows less about your site installation (WordPress version, plugins list and its version) he has to spend more time and make more efforts to hack your site. If he knows that login form is protected by Login LockDown plugin,
“Wow!, version 1.4 has “security hole with an improperly escaped SQL query” (see ver. 1.5 17-Sep-2009 update information at the begin of loginlockdown.php), I will try to explore it!”. If WordPress blog owner uses old Login LockDown plugin version, his site is vulnerable, and it say about possible vulnerablilities to the attacker himself.
I prefer to have an option at the Settings page which would allow show/hide that Login LockDown advertisement at the WordPress Login Dialog. While we have not such option with this plugin I have my own decision to resolve this issue.
In order to remove the “Login form protected by Login LockDown” signuture from WordPress login dialog you can use this hack: just open the function.php file from your blog theme folder and add one line of code at the file begin:
// Remove Login LockDown advertisement from Login Dialog remove_action('login_form', 'll_credit_link'); |
Second, when intruder exhausted invalid login attempts limit, Login LockDown shows the special error message:
“ERROR: We’re sorry, but this IP range has been blocked due to too many recent”.
It clearly shows to intruder that this blog has Login LockDown installation. Again as a blog owner I prefer to have the option to show this special message or not. Ideally, my login dialog behaviour must be the same as WordPress default one or different but the same for all kind of the login errors.
In order to show only one login error message in all situations add this code into your theme functions.php file:
function login_error_mess() { return 'ERROR: Invalid username or password.'; } // Remove LoginLockDown’s message about IP blocking add_filter('login_errors', 'login_error_mess'); |
Third, if you try to call loginlockdown.php file directly from browser
http://www.yourdomain.com/wp-content/plugins/loginlockdown/loginlockdown.php
and php error messages is not turned off on your site, you will see this error message in your browser:
Fatal error: Call to undefined function get_option() in /homepages/xxx/xxx/htdocs/dev/wp-content/plugins/loginlockdown/loginlockdown.php on line 186
That is bad guy can discover your site real path. If he knows what shared hosting you use, and hosting provider has some security hole in his system, bad guy can reach your site and get it data, control it, etc. very easy.
Plugin author has to check if his script is called under WordPress environment and stop working if somebody tries to call it as stand-alone script.
Finally, some technical questions/suggestions to Michael, Login LockDown developer.
Login LockDown stores information about every invalid login attempt in the WordPress database. When invalid login attempts limit is exausted, plugin creates record about blocked IP. Current version has not any mechanizm to delete old records from the database. I have got 20 records in this plugin database table on developement site during two weeks where I am the only user. Imagine site with a lot of registered users. How many records will be stored at the database table by this plugin after 3-6 months of site work? After on year? After 3-5 years? Yes, I can delete old records myselft using PhpMyAdmin or writing my own routine for this. But what will do people which are just bloggers, not coders or database administrators? More – during each login attempt Login Lockdown queries its database table about quant of previous invalid login attempts from
the same IP range. If you have 10, 20 even 100 records in the DB table it is not time consuming. But imagine if this table have 100,000 records in it. Table has no indexes to accelerate the search now. Full read of all records on the really large dataset will slowdown login process dramatically. In some cases it can become impossible to login on such site. Why? Any script has execution time limit, very low limit on the shared hosting. Memory for the script execution is limited also. On shared hosting this limit is low and can not be encreased by the site owner.
Inspite of some criticism (see on it as the direction to go) I recommend this plugin to every self installed WordPress blog owner as a ‘must have’ security enhancing tool.
Thanks for reading,
Vladimir, ShinePHP.com
Tags: plugins, Security, wordpress plugin review