All In One Security – User Login
Script & Screenshots
In this video I’m going to walk you through the All In One Calendar User Login page.
This is where you can tighten security for User Logins.
To get to it, click on WP Security, then User Login.
Starting with the Login Lockdown tab. One of the ways hackers try to compromise sites is via a Brute Force Login Attack. This is where attackers use repeated login attempts until they guess the username and password.
To enable it, check the box next to Enable Login Lockdown Feature. You can simply enable it and leave all the settings below as the default, or you can customize the options.
Allow Unlock Requests: Place a check mark in this check box if you want to allow users to generate an automated unlock request link which will unlock their account. This might be good to check if you have a membership site.
Max Login Attempts: Set the value for the maximum login retries before the IP address is locked out. The default value is 3 login attempts. If you lock yourself out often, maybe increase this number.
Login Retry Time Period: If the maximum number of failed login attempts for a particular IP address occurs within this time period the plugin will lock out that IP address. The default value is 5 minutes.
Time Length of Lockout: Set the length of time for which a particular IP address will be prevented from logging in. The default value is 60 minutes. If you have a membership site, I’d decrease this significantly. You don’t want them to have to wait 60 minutes before they can log in.
Display Generic Error Message: check this if you want to show a generic error message when a login attempt fails. The default message if the username is entered wrong is: Error: Invalid username. Lost your password?. If the password is wrong, it will show: ERROR: The password you entered for the username ____ is incorrect. Lost your password? Both of these error messages are too helpful for hackers. If someone is trying to brute-force your administrator password, it’s much better to let them waste their time trying to brute-force an account that doesn’t exist, rather than telling them to try a different username. Checking this box will change the error message to: ERROR: Incorrect username or password.
Notify By Email: check this box if you want to receive an email when someone has been locked out due to maximum failed login attempts. The default email address is the email address set up in Settings -> General. You can change it to another email address if you like.
Instantly Lockout Invalid Usernames. If you want to instantly lockout login attempts with usernames which do not exist on your system. If you have a membership website, you may not want to check this as it will be more likely someone will mistype their login account. It could irritate them if they get locked out after one try. If there’s only you logging in, then you might want to check this to keep your site protected better.
Click the Save Settings button to save your changes.
Next tab is Failed Login Records. The top box shows you the IP Address, User ID, Username, and Date of the failed login. This comes in handy if you want to see who is trying to log into your website.
If you’d like to remove all the IP addresses from the login records box without having to select them all, you can click on the Delete All Failed Login Records box.
Next is the Force Logout tab. The one option on here is to force logged in users out after a specified number of minutes. This can be effective if a hacker happens to get logged in, this will log them out. Although if they have your password, they can easily log back in. This feature can get annoying if you spend a lot of time in your website editing. If you make small changes here and there, you won’t even notice that you have this enabled if you leave it at the default 60 minutes.
Click the Save Settings if you made any changes.
Since I enabled the lockout after 60 minutes’ option, it logged me out. When it does this, it will take you back to the login screen and display a message that your session expired. You’ll then need to log in again.
On the Account Activity Logs tab, you can view the login activity for administrator accounts. This is a good way to see who is logging in, and if anyone has admin privileges that shouldn’t.
On the Logged In Users tab you can see who is currently logged into your website. This tab can come in handy if you need to update any plugins and you don’t want to do it while another team member is making changes. You can see here if they’re logged in. You can also log them out by clicking the Force Logout button. It is also handy if you see a user account that you didn’t create, you can block their IP address here so that they can’t log in again.
The data doesn’t automatically refresh. So if you’d like to refresh the info, click on the Refresh Data button at the top.
That’s it for this video. I’ll see you in the next one.