An elementary security plugin protecting admin dashboard

In this post, I shall discuss an elementary plugin that can protect your wordpress admin dashboard from frequent incorrect login attempts. The plugin redirects the user to the home page after a predetermined number of incorrect logins, three for example. However, if the user enters the correct password after three wrong attempts, the user is logged in to the dashboard. The code hooks into the wp_login_failed action hook and uses a counter variable stored in the session to keep track of the number of login attempts. The plugin backend only tells the administrator that the plugin is active (See image above). The code listing is given below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
 
/*
* Plugin Name: My Simple Security
*/
 
 
function simple_security_reset_bruteforce($username)
{
 
	@session_start();
 
	if(!isset($_SESSION["brute_count"]))
	{
		$_SESSION["brute_count"] = 1;
 
	}
	else
	{
		$_SESSION["brute_count"] = $_SESSION["brute_count"] + 1;
 
		if($_SESSION["brute_count"] > 3)
		{
			unset($_SESSION["brute_count"]);
 
			wp_redirect(site_url());
 
			exit;
		}
	}
 
}
 
add_action("wp_login_failed", "simple_security_reset_bruteforce");
 
//plugin admin panel
function simple_security_menu_callback()
{
 
	echo "<h1>Simple Security active!</h1>";
}
 
function simple_security_menu_add()
{
	add_menu_page("Simple Security", "Simple Security", "administrator", "simple-security", "simple_security_menu_callback" );
}
 
add_action("admin_menu", "simple_security_menu_add");
//plugin admin panel end

 
A recording of the plugin is given below:

 

To turn this into a plugin and use it in your wordpress:

  1. Create an empty folder in your plugins folder.
  2. Give it an easily understandable name.
  3. Then, create a blank file in any text editor.
  4. Copy the code from the code listing here, including the “<?php” at the start.
  5. Paste the code copied above in your blank file.
  6. Save this file as index.php in your empty folder created above.
  7. Go to the wp-admin and activate the plugin.
  8. Logout from admin and try logging in to wp-admin repeatedly with the wrong password.

 
It should work as shown in the video above.

Leave a Reply

Your email address will not be published. Required fields are marked *