推荐一个 wordpress 插件: Limit Login Attempts,限制登录尝试的插件
dreamcountry · 2015-07-26 09:13:27 +08:00 · 4113 次点击这是一个创建于 3393 天前的主题,其中的信息可能已经有所发展或是发生改变。
前段时间安装的这个插件,经常发现有很多IP的登录尝试。今天绝了,插件发送的邮件记录显示从3点多到现在9点多到一直有人在尝试admin登录。本人设置了登录失败4次禁止该IP登录10分钟,连续两组禁止该IP登录240小时,然后发送一封告警邮件。现在还在不停的收到告警邮件,不过有了这个自动IP禁止插件,尝试者需要不停的换IP。虽然还是有尝试,但放心多了。。。
这个插件是老外开发的,最近更新已经是3年前了,但现在仍然好用。直接在wp后台搜索Limit Login Attempts就可以安装,下面是插件自己的description:
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
Limit the number of retry attempts when logging in (for each IP). Fully customizable
Limit the number of attempts to log in using auth cookies in same way
Informs user about remaining retries or lockout time on login page
Optional logging, optional email notification
Handles server behind reverse proxy
It is possible to whitelist IPs using a filter. But you probably shouldn't. :-)
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
这个插件是老外开发的,最近更新已经是3年前了,但现在仍然好用。直接在wp后台搜索Limit Login Attempts就可以安装,下面是插件自己的description:
Limit the number of login attempts possible both through normal login as well as using auth cookies.
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Features
Limit the number of retry attempts when logging in (for each IP). Fully customizable
Limit the number of attempts to log in using auth cookies in same way
Informs user about remaining retries or lockout time on login page
Optional logging, optional email notification
Handles server behind reverse proxy
It is possible to whitelist IPs using a filter. But you probably shouldn't. :-)
Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish
Plugin uses standard actions and filters only.
20 条回复 • 2015-08-25 17:03:39 +08:00
 |
1
ivmm 2015-07-26 09:17:26 +08:00
貌似很早就有人推荐了,必备插件。
不过我用谷歌身份,二次验证。 绝逼安全 |
 |
2
dreamcountry OP @ivmm 必备插件(竖大拇指)
|
 |
3
Majirefy 2015-07-26 09:38:26 +08:00
必备插件~~
|
 |
4
falcon05 2015-07-26 09:48:00 +08:00 via iPhone
我们公司也使用WP,从日志上看,更多的攻击来自对WP插件漏洞的利用,大多是在尝试上传漏洞,因为wp插件良莠不齐,所以能不装的插件尽量不装了,当然不是指这个插件,我只是有感而发
|
 |
5
bigfa 2015-07-26 12:00:30 +08:00 via iPhone
我现在是禁用了账号密码登录,使用邮件的方式登录~
|
 |
7
songz 2015-07-26 12:48:43 +08:00
将wp-login改一下名字可以?
|
|
9
dreamcountry OP @bigfa 这个怎么做的?
|
|
10
bigfa 2015-07-26 17:09:32 +08:00 via iPhone
|
 |
11
wkdhf233 2015-07-26 17:19:55 +08:00
十几位大小写数字混合,我觉得被跑出来之前那边空间的流量就已经超了。。
|
 |
12
simodorg 2015-07-26 17:23:05 +08:00 via iPhone
|
 |
13
welly 2015-07-26 17:28:40 +08:00 via iPhone
谢谢分享!
|
 |
14
sumhat 2015-07-26 17:31:28 +08:00
我直接 403 了 wp-login.php
|
|
15
dreamcountry OP @sumhat 今天有人不断变换ip尝试登陆快一天了,有点烦,现在我把wp-login.php设成了空页面
|
 |
16
tobyxdd 2015-07-26 19:00:14 +08:00
wordfence
|
 |
18
mufeng 2015-07-26 21:15:09 +08:00
换成扫码登陆了
|
 |
19
kn007 2015-07-28 01:25:22 +08:00
|
 |
20
ershiwo 2015-08-25 17:03:39 +08:00 via Android
我用 iThemes Security 。虽然比较臃肿但是功能很全,基本上算是全能了。
前几天自己的账户被人恶意尝试登陆,结果连我自己要登陆都被这插件弹了回来,最后 iptables 封了对方 ip ,世界清净了 |
Select Language