{"id":28068,"date":"2014-02-26T06:41:55","date_gmt":"2014-02-26T06:41:55","guid":{"rendered":"https:\/\/wordpress.org\/plugins-wp\/security-protection\/"},"modified":"2020-09-05T16:59:23","modified_gmt":"2020-09-05T16:59:23","slug":"security-protection","status":"publish","type":"plugin","link":"https:\/\/ur.wordpress.org\/plugins\/security-protection\/","author":7506807,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.3","stable_tag":"2.3","tested":"5.5.18","requires":"3.0","requires_php":"","requires_plugins":"","header_name":"Security-Protection","header_author":"webvitaly","header_description":"","assets_banners_color":"","last_updated":"2020-09-05 16:59:23","external_support_url":"","external_repository_url":"","donate_link":"http:\/\/web-profile.net\/donate\/","header_plugin_uri":"http:\/\/wordpress.org\/plugins\/security-protection\/","header_author_uri":"http:\/\/web-profile.net\/wordpress\/plugins\/","rating":4.3,"author_block_rating":0,"active_installs":400,"downloads":15474,"num_ratings":11,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0":{"tag":"1.0","author":"webvitaly","date":"2014-02-26 06:41:55"},"1.1":{"tag":"1.1","author":"webvitaly","date":"2014-02-28 22:37:30"},"2.0":{"tag":"2.0","author":"webvitaly","date":"2014-04-12 18:39:24"},"2.1":{"tag":"2.1","author":"webvitaly","date":"2014-12-26 10:56:41"},"2.2":{"tag":"2.2","author":"webvitaly","date":"2015-06-02 04:29:56"},"2.3":{"tag":"2.3","author":"webvitaly","date":"2020-09-05 16:59:23"}},"upgrade_notice":[],"ratings":{"1":"2","2":0,"3":0,"4":0,"5":"9"},"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0","1.1","2.0","2.1","2.2","2.3"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2439,2438,602,2059,603],"plugin_category":[38,42,58],"plugin_contributors":[77906],"plugin_business_model":[],"class_list":["post-28068","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-bruteforce","plugin_tags-login","plugin_tags-register","plugin_tags-registration","plugin_category-authentication","plugin_category-contact-forms","plugin_category-user-management","plugin_contributors-webvitaly","plugin_committers-webvitaly"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/security-protection.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<ul>\n<li><strong><a href=\"http:\/\/web-profile.net\/wordpress\/plugins\/security-protection\/\" title=\"Security-Protection\">Security-Protection<\/a><\/strong><\/li>\n<li><strong><a href=\"http:\/\/web-profile.net\/donate\/\" title=\"Donate\">Donate<\/a><\/strong><\/li>\n<li><strong><a href=\"http:\/\/web-profile.net\/wordpress\/plugins\/\" title=\"WordPress plugins\">WordPress plugins<\/a><\/strong><\/li>\n<\/ul>\n\n<p><strong>Why humans should prove that they are humans by filling captchas? Lets bots prove that they are not bots with adding javascript to their user-agents!<\/strong><\/p>\n\n<p>Security-Protection blocks and stops brute-force attacks.\n<a href=\"http:\/\/wordpress.org\/plugins\/security-protection\/faq\/\">Want to read more how Security-Protection plugin works<\/a>?<\/p>\n\n<ul>\n<li><strong>no captcha<\/strong>, because brute-force attacks is not users' problem<\/li>\n<li><strong>no options<\/strong>, because it is great to forget about brute-force attacks completely<\/li>\n<\/ul>\n\n<p>Plugin is easy to use: just install it and it just works.<\/p>\n\n<p>Important: <strong>delete 'admin' username<\/strong> if you have it on your site. More than 90% of brute-force attacks try to crack the 'admin' username.<\/p>\n\n<p>Few of the most commonly used and worst passwords. Do not use them or similar:<\/p>\n\n<ul>\n<li>123456<\/li>\n<li>p@s$w0rd<\/li>\n<li>qwerty<\/li>\n<li>qwe123<\/li>\n<li>admin123<\/li>\n<li>iloveyou<\/li>\n<li>letmein<\/li>\n<\/ul>\n\n<h4>Useful:<\/h4>\n\n<ul>\n<li><a href=\"http:\/\/wordpress.org\/plugins\/page-list\/\" title=\"list of pages with shortcodes\">\"Page-list\" - show list of pages with shortcodes<\/a><\/li>\n<li><a href=\"http:\/\/wordpress.org\/plugins\/iframe\/\" title=\"embed content\">\"Iframe\" - embed content<\/a><\/li>\n<li><a href=\"http:\/\/web-profile.net\/wordpress\/plugins\/\" title=\"WordPress Pro plugins\">WordPress Pro plugins<\/a><\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>install and activate the plugin on the Plugins page<\/li>\n<li>enjoy life without login, register and reset-password brute-force attacks<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt><h3>Compatible with:<\/h3><\/dt>\n<dd><ul>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/woocommerce\/\">WooCommerce<\/a><\/li>\n<\/ul><\/dd>\n<dt><h3>How does Security-Protection plugin work?<\/h3><\/dt>\n<dd><p>The blocking algorithm is based on 2 methods: 'invisible js-captcha' and 'invisible input trap'.\nThe 'invisible js-captcha' method is based on fact that bots does not have javascript on their user-agents.\nThe 'invisible input trap' method is based on fact that almost all the bots will fill inputs with name 'email' or 'url'.<\/p><\/dd>\n<dt><h3>How does Security-Protection plugin work in details?<\/h3><\/dt>\n<dd><p>Two extra hidden fields are added to login, register and reset-password forms.\nFirst field is the invisible captcha (copy and paste the code). Second field should be empty.\nIf the user visits site, than first field is answered automatically with javascript, second field left blank and both fields are hidden by javascript and css and invisible for the user.\nIf the brute-forcer tries to submit the form, he will make a mistake with answer on first field or tries to submit an empty field and brute-force attack will be automatically rejected.<\/p><\/dd>\n<dt><h3>How does Security-Protection plugin stop brute-force attacks?<\/h3><\/dt>\n<dd><p>If Security-Protection check was not passed than it is brute-force request and the login attempt (or registration, or reset password) is blocked even if username and password are correct.\nPlugin sends fake WordPress login cookies to the brute-force bot and redirects it to the admin section to emulate that the password is cracked and many brute-forcers stop their attacks after this.\nIt is really awesome :)<\/p><\/dd>\n<dt><h3>How to test what brute-force attacks are blocked?<\/h3><\/dt>\n<dd><p>You may enable sending info about blocked brute-force attacks to admin email.\nEdit <a href=\"http:\/\/plugins.trac.wordpress.org\/browser\/security-protection\/trunk\/security-protection.php\">security-protection.php<\/a> file and find \"$secprot_send_brute_force_log_to_admin\" and make it \"true\".<\/p><\/dd>\n<dt><h3>How to stop brute-force attacks if plugins does not help?<\/h3><\/dt>\n<dd><p>If all plugins does not help you to stop brute-force attacks - you can simply rename wp-login.php file (for example 'wp-login-new.php') for now and maybe this can help you to reduce load on your site.\nAnd also create empty wp-login.php file for not raising WordPress 404 error because it will start whole WordPress site again during each wp-login.php access.\nWhile wp-login.php renamed - users cannot login, register and reset password.\nIf you want to have ability to login while you renamed wp-login.php file you should replace all 'wp-login.php' strings inside of the wp-login.php file to your new filename (for example 'wp-login-new.php').<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.3<\/h4>\n\n<ul>\n<li>Minor updates<\/li>\n<\/ul>\n\n<h4>2.2<\/h4>\n\n<ul>\n<li>added compatibility for WooCommerce<\/li>\n<li>code cleanup<\/li>\n<li>bugfixing<\/li>\n<li>move javascript file to footer<\/li>\n<li>added SECURITY_PROTECTION_VERSION constant<\/li>\n<\/ul>\n\n<h4>2.1<\/h4>\n\n<ul>\n<li>masking password in the email log for successful login<\/li>\n<li>cleanup code<\/li>\n<li>update FAQ<\/li>\n<\/ul>\n\n<h4>2.0<\/h4>\n\n<ul>\n<li>completely rewrote all the code and reorganize the logic of the plugin (now plugin adds two hidden fields - aka 'invisible js-captcha')<\/li>\n<li>added 'send_successful_login_log_to_admin' feature<\/li>\n<\/ul>\n\n<h4>1.1<\/h4>\n\n<ul>\n<li>added sending fake WordPress login cookies to fool the bot<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>initial release - Protect from login, register and reset-password brute-force attacks using cookie check<\/li>\n<\/ul>","raw_excerpt":"Protection from login, registration and reset-password brute-force attacks. No captcha.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/28068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=28068"}],"author":[{"embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/webvitaly"}],"wp:attachment":[{"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=28068"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=28068"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=28068"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=28068"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=28068"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ur.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=28068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}