Login LockDown WordPress plugin Review

WordPress Plugin Review

WordPress Plugin Review

This review is made for Login LockDown v.1.5 WordPress plugin.
Date of review: 19th September 2009
Rating: 4.0
Author profile: Michael VanDeMar
WordPress plugin directory link: Login LockDown

According to author’s description Login LockDown WordPress plugin adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Plugin records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP range. This helps to prevent brute force password discovery.
After testing and using it on live site I confirm that Login LockDown WordPress plugin really has functionality declared by its author. But plugin has some security and usability issues.

This review does not describe how to install or use this plugin. It is the plugin’s author task. Michael made it well enough at his Bad Neighborhood site. I will tell you how Login LockDown WordPress plugin works for me. What I like, and what I don’t like. I have read this plugin PHP code carefully. I will share with you my opinion about Login LockDown plugin as PHP/MySQL developer myself, discuss with you some security issues of this plugin in this post.

This plugin is well-made, its code is accurate, easy to read, has comments where it is needed. This plugin has not hidden code which make something not declared by the author in plugin description.

For your security: Login LockDown WordPress plugin is checked by independent developer.

I started to use Login LockDown from version 1.3. and I didn’t meet with bugs. Michael (the author) works hard to enhance his plugin. It is updated often:

  • ver. 1.5 17-Sep-2009
  • ver. 1.4 29-Aug-2009
  • ver. 1.3 23-Feb-2009

The most important thing is that author makes security updates. Thank you, Michael, for your good work and useful plugin.

That were all things which I like using this plugin.

What things I don’t like? I will describe it below together with questions/suggestions which I have about Login LockDown plugin.

First of all, concerning the security field, I repeat it again – “Silence is golden”. If you don’t know why, you can read these my previous posts:

Login LockDown plugin to advertise itself adds this text to the WordPress Login dialog box:

Login form protected by Login LockDown.

If bad guy attacking your blog knows less about your site installation (WordPress version, plugins list and its version) he has to spend more time and make more efforts to hack your site. If he knows that login form is protected by Login LockDown plugin,

“Wow!, version 1.4 has “security hole with an improperly escaped SQL query” (see ver. 1.5 17-Sep-2009 update information at the begin of loginlockdown.php), I will try to explore it!”. If WordPress blog owner uses old Login LockDown plugin version, his site is vulnerable, and it say about possible vulnerablilities to the attacker himself.

I prefer to have an option at the Settings page which would allow show/hide that Login LockDown advertisement at the WordPress Login Dialog. While we have not such option with this plugin I have my own decision to resolve this issue.

In order to remove the “Login form protected by Login LockDown” signuture from WordPress login dialog you can use this hack: just open the function.php file from your blog theme folder and add one line of code at the file begin:

      // Remove Login LockDown advertisement from Login Dialog
      remove_action('login_form', 'll_credit_link');

Second, when intruder exhausted invalid login attempts limit, Login LockDown shows the special error message:

“ERROR: We’re sorry, but this IP range has been blocked due to too many recent”.

It clearly shows to intruder that this blog has Login LockDown installation. Again as a blog owner I prefer to have the option to show this special message or not. Ideally, my login dialog behaviour must be the same as WordPress default one or different but the same for all kind of the login errors.
In order to show only one login error message in all situations add this code into your theme functions.php file:

function login_error_mess() {
return 'ERROR: Invalid username or password.';
}
// Remove LoginLockDown’s message about IP blocking
add_filter('login_errors', 'login_error_mess');

Third, if you try to call loginlockdown.php file directly from browser

http://www.yourdomain.com/wp-content/plugins/loginlockdown/loginlockdown.php

and php error messages is not turned off on your site, you will see this error message in your browser:

Fatal error: Call to undefined function get_option() in /homepages/xxx/xxx/htdocs/dev/wp-content/plugins/loginlockdown/loginlockdown.php on line 186

That is bad guy can discover your site real path. If he knows what shared hosting you use, and hosting provider has some security hole in his system, bad guy can reach your site and get it data, control it, etc. very easy.
Plugin author has to check if his script is called under WordPress environment and stop working if somebody tries to call it as stand-alone script.

Finally, some technical questions/suggestions to Michael, Login LockDown developer.
Login LockDown stores information about every invalid login attempt in the WordPress database. When invalid login attempts limit is exausted, plugin creates record about blocked IP. Current version has not any mechanizm to delete old records from the database. I have got 20 records in this plugin database table on developement site during two weeks where I am the only user. Imagine site with a lot of registered users. How many records will be stored at the database table by this plugin after 3-6 months of site work? After on year? After 3-5 years? Yes, I can delete old records myselft using PhpMyAdmin or writing my own routine for this. But what will do people which are just bloggers, not coders or database administrators? More – during each login attempt Login Lockdown queries its database table about quant of previous invalid login attempts from
the same IP range. If you have 10, 20 even 100 records in the DB table it is not time consuming. But imagine if this table have 100,000 records in it. Table has no indexes to accelerate the search now. Full read of all records on the really large dataset will slowdown login process dramatically. In some cases it can become impossible to login on such site. Why? Any script has execution time limit, very low limit on the shared hosting. Memory for the script execution is limited also. On shared hosting this limit is low and can not be encreased by the site owner.

Inspite of some criticism (see on it as the direction to go) I recommend this plugin to every self installed WordPress blog owner as a ‘must have’ security enhancing tool.

Thanks for reading,
Vladimir, ShinePHP.com

Tags: , ,

  • http://wheredidmybraingo.com/ Mitch

    Hi Vlad,
    Good point: You should never use a WP plugin before editing it, and adding code to prevent it from being called directly.

    Best wishes, Mitch

  • shinephp

    Hi Mitch,
    I'm fully agree with you. But there is a problem. Not so many people from those who doesn't know PHP will make it. That's why plugin developers themselves must fulfill this condition as a standard requirement for the WordPress plugin development process.
    Regards,
    Vladimir.

  • http://wheredidmybraingo.com/ Mitch

    Vladimir,
    It will never be plugin requirement, especially since WP keeps dumbing down, even adding image editor in 2.9.
    BTW – you should also remove “readme.txt” in plugin dir, so bad guys cannot easily discover plugin version.

    Best wishes, Mitch

  • shinephp

    Sure. I only propose that as some kind of inherent rool for conscientious plugin developers.
    Thanks,
    Vladimir.

  • http://easypublicspeaking.co.uk/ Keith Davis

    Very interesting post.
    I was thinking of using Login lockDown, but was thinking along the same lines as you i.e. why tell everyone that the site uses this plugin and why tell them which is wrong, the username or password?

    Is this the best “Lockout” plugin? I came across “Limit logon attempts”, which seems to do the same job. Do you have any thoughts on this plugin.

    I've not added the URL to the “Limit logon attempts” site because I thought it might violate your comments policy, but the author of the plugin is Johan Eenfeldt.

    I would appreciate your views.

  • shinephp

    Thanks for the question. In a couple of days I will publish the review for the 'Limit logon attempts' plugin, possibly with comparison to 'Login lockDown' one.

  • http://easypublicspeaking.co.uk/ Keith Davis

    Many thanks… I look forward to your review.

  • Pingback: Limit Login Attempts 1.4.1 Wordpress Plugin Review | ShinePHP.com()

  • shinephp

    My opinion is that 'Limit Login Attempts' plugin is better that 'Login lockDown' one. I plan to change 'Login lockDown' to the ' Limit Login Attempts' for my blog. More details can be found in this article

  • Pingback: Login LockDown WordPress plugin Review | ShinePHP.com()

  • http://wingerter.cms4people.de/ Benjamin Wingerter

    I have a problem with a fatal error in the plugin .php file on line 252. what could it be? (wp 2.8)

  • shinephp

    After what this error did appear? Did you install and activate new plugin or made update for old one? Can you show full error message (without sensitive information about your site of course)?
    To isolate the problem you can deactivate all plugins first, and then check the site work activating your plugins one by one with check if this error occur.

  • http://wingerter.cms4people.de/ Benjamin Wingerter

    I have a problem with a fatal error in the plugin .php file on line 252. what could it be? (wp 2.8)

  • shinephp

    After what this error did appear? Did you install and activate new plugin or made update for old one? Can you show full error message (without sensitive information about your site of course)?
    To isolate the problem you can deactivate all plugins first, and then check the site work activating your plugins one by one with check if this error occur.

  • http://wingerter.cms4people.de/ Benjamin Wingerter

    hi i updated wordpress from 2.7 to 2.85 now and the fatal error is gone

  • shinephp

    I'm glad that your problem is resolved.

  • Pingback: User Locker 1.1.7 WordPress Plugin Review | ShinePHP.com()

  • asif

    Hello Vladimir

    so how can i delete old record from database

  • http://shinephp.com Vladimir Garagulya

    Login Lockdown creates 2 own tables in the database:
    – wp_lockdowns
    – wp_login_fails
    Change ‘wp_’ at the table name begin to your own WordPress database tables prefix if you use the different one.
    To delete all records from the table you need to execute SQL command via some database tool, phpMyAdmin for example.
    SQL commands are:
    delete from wp_lockdowns
    and
    delete from wp_login_fails
    If you wish to delete the old records only add your criteria to the ‘where’ claster of the ‘delete’ command. For example,
    delete from wp_login_fails where login_attempt_ID<1000
    etc…

  • Ssbcargo

    nice share info Vladimir. I used this plugin, but never delete “Login form“Login form protected by Login LockDown” signature. With your review i got beauty login form (similar with wordpress login form).
     Thanks you Vladimir for this article, very helpfully for me.