User Locker 1.1.7 WordPress Plugin Review

WordPress Plugin Review

WordPress Plugin Review

Plugin Name:User Locker v.1.1.7
Date of review: 20th November 2009
Rating: 4.5
Author profile: Daniel Frużyński
WordPress plugin directory link: User Locker

User Locker WordPress plugin introduces maximum number of invalid login attempts for the user name. When this number is exceeded, plugin locks that user account. It can be unlocked by requesting new password (using Lost Password option) or asking help from the blog administrator only.


You can find the original description of this plugin at the authour’s blog plugin page (primary site language is not English, but it is the English description). It this post I will tell you about my impressions after testing this plugin and going through its source code.

This plugin is written well. Its code is accurate and easy to read. It has detailed comments inside. I confirm that User Locker WordPress plugin operates exactly as declared by its author. I didn’t meet with bugs during tests series I made.

Security declaration: You can be sure: User Locker v.1.1.7 WordPress plugin (md5 sum: 293385EBAE285EA1470C654B1E90EA7E) is checked by me as an independent developer. This plugin has not any hidden code which make something malicious or not documented by the author in the plugin description.

Daniel (the author) made a good job and his plugin works well. Last change to the functionality was made with version 1.1. release at May 13, 2009. Other updates including the last one (November 14, 2009) were concerned with new languages translations and compatibility with WordPress new versions information.

For the first glance, it can be seemed that this plugin is related to the same kind of login security plugins as WordPress plugins Login lockDown and Limit Login Attempts which were reviewed here earlier. But it is for the first glance only. Yes, all three these plugins have the same main purpose: secure your blog from the brute force and dictionary passwords picking up attacks. But if Login lockDown and Limit Login Attempts locks the atacker’s IP-address, User Locker works on the second line of the defence – it locks the user account which is under attack. It is the main difference from the previous two plugins.

As the bonus User Locker adds two new attributes to the user profile/account: locked and disabled. Locked attribute can be cleared by user with password reset. Only administrator can change the disabled attribute. This functionality is well intergrated into existing WordPress Users list editor.

Plugin stores its data using standard WordPress mechanizm of user meta data processing. It automatically clears invalid login attempts data after user password reset or that user successful login.

User Locker doesn’t advertise itself with special text at the WordPress Login dialog box as the Login lockDown plugin does.

What I don’t like

Plugin has not option to unlock user account automatically after some period of time which can be set by the blog administrator. So far locking users accounts feature can be used for Denial Of Service (DOS) attack. Yes, user can unlock his account using password reset feature. But just imagine that he has to make it every day. How many days user will stay with your blog then?

As others login lockers plugins User Locker has the unique set of special messages to show when intruder exhausted invalid login attempts limit: “ERROR: This user account is disabled.”, “ERROR: This user account is locked for security reasons. Please use Lost Password option to unlock it.”, etc.
It clearly shows to the intruder that this blog uses User Locker installation. Additionally with the message “This user account is locked” plugin compromises user name. Attacker will know that his try finished with success, he discovered user name and the left part of attack is that user password discovery only.
Personally I prefer to have the option with which I could select to show or hide (and get by email) those special messages by my own choice. Silence is golden.

If you try to call user-locker.php file directly from the browser, e.g. input
http://www.yourdomain.com/wp-content/plugins/user-locker/user-locker.php
in the browser and PHP error messages is not turned off on your site, you will see this error message in your browser:

PHP Fatal error: Call to undefined function add_option() in …\wp-content\plugins\user-locker\user-locker.php on line 329

It means that bad guy can discover your site real path. Plugin author has to check if his script is called under WordPress environment and stop working if somebody tries to call it directly, as stand-alone script. For example, add this code at the beginning of every plugin:

if (!function_exists("get_option")) {
  echo 'Direct call is prohibited';
  die;
}

Finally, I think that in comparing with IP-adress locking plugins User Locker as standalone technology loses to them because of lock by IP-address functionality resists to attackers only, but locking by user account functionality beats the users together with attackers.

As the result I rate this plugin as 4.5.

This plugin functionality is good to use as the second, additional line of defence, after plugin which secures on the base of attacker IP-address locking. For example if attacker has a large bot net and changes computers from which he attacks your blog, he can break through IP-address defence. So I had the thought to use User Locker with Limit Login Attempts together. For testing I set up 3 failed login atempts limit for the IP-address and 5 attempts limit for the user account. In this case if attacker changes IP and breaks through the defence on the IP-address base, then he will met the second line of defence – user account locking. Two plugins passed first tests good and worked exactly as I expected. But be aware in one of the special situations you can meet the problem as I did. That time I tested one user name all time from the same IP. First, Limit Login Attempts locked my IP-address successfully. When my IP unlocked (some time elapsed), I continued with the same user name but the invalid password. As a result I saw the Limit Login Attempt messages about failed login only. So, prepare that, if you try to login with user name which is locked already by User Locker, you will not get information about it. You will try with valid login credentials again and again, see that user name or password is invalid, and finally lock your IP-address. Valid behaviour in this situation do not increase failed login attempts for this IP-address at all, as the attacking user is locked already and nothing dangerous occurs. Thus, not so good news is that these plugins working together can interpolate, as theirs code doesn’t know anything about each other. So if you decide to use both plugins simultaneously make it on your own risk :).

It will be good to have one plugin with united and agreed functionality and the option to not show messages about failed login at the browser but send it to the blog administrator and the user with ability to aggregate a few messages in one mail.

Thanks for the reading,
Vladimir, ShinePHP.com

Tags: , , ,

  • http://easypublicspeaking.co.uk/ Keith Davis

    Hi Vlad
    Another in depth review to help the rest of us with security.
    I may follow your suggestion and run them together, but as you say, it would be nice to have one combined plugin.

    If you ever find the time Vlad… perhaps you could put one together!

  • http://shinephp.com Vladimir Garagulya

    Hi Keith!
    Thanks for the suggestion. To be honest, I think about it :). And possibly I will make it. I can not estimate the time exactly. In that case you will know about it from one of the posts here.

  • shinephp

    Hi Keith!
    Thanks for the suggestion. To be honest, I think about it :). And may be I will make it. In that case you will know about it from the special post here.

  • http://easypublicspeaking.co.uk/ Keith Davis

    Good man
    Hope you do find the time.
    Look forward to seeing the “Vlad login locker” being top of the WordPress plugin rankings.

  • http://equipajedemano.info/ Omi

    Thank you for testing the plugin and doing the review to us all, much appreciated.

    I totally agree with Keith Davis, it would be great to see that “Vlad's 'come here if you dare' all defence lines are covered plugin” (or so) being top of security plugins list … :)

    Of course you know you can count on me for test and spanish translation help. Just drop me a mail when needed!

  • http://easypublicspeaking.co.uk/ Keith Davis

    Well said Omi
    Looks like the pressure's on Vlad, you need to open up a competition for naming the plugin.
    And I can do you the Yorkshire translation… sorry Vlad, that's an English joke.

  • shinephp

    Good point: That was a typo, rate is updated to 4.5.
    I will definitely contact you when new plugin will be ready for tests and translation. Thanks for your participation.

  • http://equipajedemano.info/ Omi

    I propose and vote for (it's licit to do both things?) “Gold security” or “SIG security” just to paraphrase that WordPress core index.php file… :D

  • shinephp

    Keith, after visiting this link http://www.whoohoo.co.uk/main.asp and trying to translate a couple of phrases I understood your joke possibly :). Thanks. In any case your future help with English translation checking, misspelling and grammar corrections is very appreciated. You are welcome!

  • shinephp

    How about one word addition? It can be named “SIG login security”, just to have exact keyword in the pluging name too, not in the description only. SIG can be put in full form (silence is golden) into the description part.

  • http://easypublicspeaking.co.uk/ Keith Davis

    I like it… I was taken with the phrase “silence is golden” when I saw your previous posts.

  • http://easypublicspeaking.co.uk/ Keith Davis

    Vlad
    I would gladly help with any English checking

  • http://shinephp.com Vladimir Garagulya

    Thanks in advance, Keith.

  • http://blogs.wittwer.fr/whiler/ Whiler

    Hello Vladimir,

    What are you thinking about CAPTCHA system?

    Are there real manual brute force guys? As I’m expecting robots, I think that Limit Loggin Attempts (http://www.shinephp.com/limit-login-attempts-1-4-1-wordpress-plugin-review/) combined with a captcha system in the loggin screen could be enough?
    Or do you think Robots are already clever enough to pass the captcha trap?

  • http://shinephp.com Vladimir Garagulya

    No, I don’t think such. Although I saw information in the Net about Google captcha system crack case with use of distributed bot net system. It can be more true and wide event with time. If we talk about robots then there is the good solution for single author blogs – I mean the AskApache plugin. If you manage multi-authors blog then CAPTCHA control can be a valid decision, at least – a ‘must have’ option for login security plugin. Final decision – to use captcha or not is for plugin user. We talk here about some integrated decision which will take in account as many existing threats of breaking through login authentication WP system as possible.

  • http://equipajedemano.info/ Omi

    Isn't that a name competition? C'mon with you name proposals lazy boys! :D Errr, ok ok, “SIG login security” depicts perfectly the plugin target.

    But if you are thinking of a plugin that could be offering more options (apart from login security) in a near future that “login” word would come back against you…

    If it's not the case, that name sounds really great. Nice suggestion Vladimir.

  • shinephp

    Good proposal, no competition :). If we have some new idea about WP security beyound login theme we can simply continue SIG plugin series creating a new plugin, e.g. “SIG secure silencer”, etc. I think that to include all stuff into one plugin is not the best decision as some users don't need that extra functionality.

  • http://equipajedemano.info/ Omi

    I propose and vote for (it's licit to do both things?) “Gold security” or “SIG security” just to paraphrase that WordPress core index.php file… :D

  • shinephp

    How about one word addition? It can be named “SIG login security”, just to have exact keyword in the pluging name too, not in the description only. SIG can be put in full form (silence is golden) into the description part.

  • http://easypublicspeaking.co.uk/ Keith Davis

    I like it… I was taken with the phrase “silence is golden” when I saw your previous posts.

  • http://equipajedemano.info/ Omi

    Isn't that a name competition? C'mon with you name proposals lazy boys! :D Errr, ok ok, “SIG login security” depicts perfectly the plugin target.

    But if you are thinking of a plugin that could be offering more options (apart from login security) in a near future that “login” word would come back against you…

    If it's not the case, that name sounds really great. Nice suggestion Vladimir.

  • shinephp

    Good proposal, no competition :). If we have some new idea about WP security beyond login theme we can simply continue SIG plugin series creating a new plugin, e.g. “SIG secure silencer”, etc. I think that to include all stuff into one plugin is not the best decision as some users don't need that extra functionality.

  • http://easypublicspeaking.co.uk/ Keith Davis

    A SIG series of plugins… I can see it now on the WordPress.org website “Another plugin in the highly successful SIG series”.
    Great suggestion to possibly have a series.
    No more comments from me tonight. I'm off to have a large white wine.

  • Pingback: WordPressのセキュリティ対応で行ったこと(プラグイン5個+アクセス制御) at 適宜覚書-Fragments

  • http://www.easyrecovery.co.uk data recovery

    I have used Brute Force and many times we need to enter captcha manually means they are not very clever for all systems.

  • Jason

    Hi Vladmir,

    I really love your site!

    I discovered it while trying to find ways to up my WordPress security.

    I read your review for Limit Login Attempt, Login Lockdown, and User Locker, and I must say they are the best reviews I read when I was stucked on trying to decide which one to go with.

    I must say you allude to “Limit Login Attempt” right?

    Though I do have a question I recently discovered this other plugin “Stealth Login” which seems really handy because it hides your wp-admin from other user and when hackers type that they will get a 404 error. The only way to access wp-admin is by typing a custom slug URL after domain to redirect to it.

    Can you please do a review on it?

    Thanks.

  • http://shinephp.com Vladimir Garagulya

    Hi Jason,

    Thanks for good words :).
    Yes, you’re right, I use the ‘Limit Login Attempt’ myself.
    ‘Stealth Login’. It’s interesting. I knew and used similar plugin for Joomla!, but didn’t know that there is something like that for WordPress. Yes, I will look on it in work, read its code and return with a review. Thanks for the question.

    Regards,
    Vladimir.

  • Jason

    Thanks Valdimir!

    This does seem like a great plugin to have in conjunction with the others you mentioned.

    “Stealth Login” would be the 1st-line-of-defense hiding your main blog entrance gateway (a secret door you can say), if hackers find that, they would have to deal with the 2nd-line-of-defense “Limit Login Attempt” or “Login lockdown”, and if they persist with the force login, the 3rd line of defense “User Locker” kicks in.

    Triple-Whammy!

  • http://www.freshdesignweb.com freshdesignweb

    my admin account are locked, so i can not log in to my account. how can i unlock my admin account?

  • http://shinephp.com Vladimir Garagulya

    Try ‘Lost your password?’ option at the /wp-admin/ page. Reseting user password should unlock user account automatically. If it will not help, just remove plugin folder via FTP. Plugin will be deactivated automatically in that case.