User Locker 1.1.7 WordPress Plugin Review

WordPress Plugin Review

WordPress Plugin Review

Plugin Name:User Locker v.1.1.7
Date of review: 20th November 2009
Rating: 4.5
Author profile: Daniel Frużyński
WordPress plugin directory link: User Locker

User Locker WordPress plugin introduces maximum number of invalid login attempts for the user name. When this number is exceeded, plugin locks that user account. It can be unlocked by requesting new password (using Lost Password option) or asking help from the blog administrator only.


You can find the original description of this plugin at the authour’s blog plugin page (primary site language is not English, but it is the English description). It this post I will tell you about my impressions after testing this plugin and going through its source code.

This plugin is written well. Its code is accurate and easy to read. It has detailed comments inside. I confirm that User Locker WordPress plugin operates exactly as declared by its author. I didn’t meet with bugs during tests series I made.
Security declaration: You can be sure: User Locker v.1.1.7 WordPress plugin (md5 sum: 293385EBAE285EA1470C654B1E90EA7E) is checked by me as an independent developer. This plugin has not any hidden code which make something malicious or not documented by the author in the plugin description.

Daniel (the author) made a good job and his plugin works well. Last change to the functionality was made with version 1.1. release at May 13, 2009. Other updates including the last one (November 14, 2009) were concerned with new languages translations and compatibility with WordPress new versions information.

For the first glance, it can be seemed that this plugin is related to the same kind of login security plugins as WordPress plugins Login lockDown and Limit Login Attempts which were reviewed here earlier. But it is for the first glance only. Yes, all three these plugins have the same main purpose: secure your blog from the brute force and dictionary passwords picking up attacks. But if Login lockDown and Limit Login Attempts locks the atacker’s IP-address, User Locker works on the second line of the defence – it locks the user account which is under attack. It is the main difference from the previous two plugins.

As the bonus User Locker adds two new attributes to the user profile/account: locked and disabled. Locked attribute can be cleared by user with password reset. Only administrator can change the disabled attribute. This functionality is well intergrated into existing WordPress Users list editor.

Plugin stores its data using standard WordPress mechanizm of user meta data processing. It automatically clears invalid login attempts data after user password reset or that user successful login.

User Locker doesn’t advertise itself with special text at the WordPress Login dialog box as the Login lockDown plugin does.

What I don’t like

Plugin has not option to unlock user account automatically after some period of time which can be set by the blog administrator. So far locking users accounts feature can be used for Denial Of Service (DOS) attack. Yes, user can unlock his account using password reset feature. But just imagine that he has to make it every day. How many days user will stay with your blog then?

As others login lockers plugins User Locker has the unique set of special messages to show when intruder exhausted invalid login attempts limit: “ERROR: This user account is disabled.”, “ERROR: This user account is locked for security reasons. Please use Lost Password option to unlock it.”, etc.
It clearly shows to the intruder that this blog uses User Locker installation. Additionally with the message “This user account is locked” plugin compromises user name. Attacker will know that his try finished with success, he discovered user name and the left part of attack is that user password discovery only.
Personally I prefer to have the option with which I could select to show or hide (and get by email) those special messages by my own choice. Silence is golden.

If you try to call user-locker.php file directly from the browser, e.g. input
http://www.yourdomain.com/wp-content/plugins/user-locker/user-locker.php
in the browser and PHP error messages is not turned off on your site, you will see this error message in your browser:
PHP Fatal error: Call to undefined function add_option() in …\wp-content\plugins\user-locker\user-locker.php on line 329
It means that bad guy can discover your site real path. Plugin author has to check if his script is called under WordPress environment and stop working if somebody tries to call it directly, as stand-alone script. For example, add this code at the beginning of every plugin:

if (!function_exists("get_option")) {
  echo 'Direct call is prohibited';
  die;
}

Finally, I think that in comparing with IP-adress locking plugins User Locker as standalone technology loses to them because of lock by IP-address functionality resists to attackers only, but locking by user account functionality beats the users together with attackers.

As the result I rate this plugin as 4.5.

This plugin functionality is good to use as the second, additional line of defence, after plugin which secures on the base of attacker IP-address locking. For example if attacker has a large bot net and changes computers from which he attacks your blog, he can break through IP-address defence. So I had the thought to use User Locker with Limit Login Attempts together. For testing I set up 3 failed login atempts limit for the IP-address and 5 attempts limit for the user account. In this case if attacker changes IP and breaks through the defence on the IP-address base, then he will met the second line of defence – user account locking. Two plugins passed first tests good and worked exactly as I expected. But be aware in one of the special situations you can meet the problem as I did. That time I tested one user name all time from the same IP. First, Limit Login Attempts locked my IP-address successfully. When my IP unlocked (some time elapsed), I continued with the same user name but the invalid password. As a result I saw the Limit Login Attempt messages about failed login only. So, prepare that, if you try to login with user name which is locked already by User Locker, you will not get information about it. You will try with valid login credentials again and again, see that user name or password is invalid, and finally lock your IP-address. Valid behaviour in this situation do not increase failed login attempts for this IP-address at all, as the attacking user is locked already and nothing dangerous occurs. Thus, not so good news is that these plugins working together can interpolate, as theirs code doesn’t know anything about each other. So if you decide to use both plugins simultaneously make it on your own risk :).

It will be good to have one plugin with united and agreed functionality and the option to not show messages about failed login at the browser but send it to the blog administrator and the user with ability to aggregate a few messages in one mail.

Thanks for the reading,
Vladimir, ShinePHP.com

Tags: , , ,