Login Limiter Pro
We recently released Login With AJAX 4.0 along with Pro 1.0, including this whole documentation site. This page is incomplete and contains basic/general information to get you started, we are currently working on our documentation for this feature. Bear with us!
You can prevent brute force attacks on your users by enabling the login limiter. Once a certain number of failed attempts for an account has been reach, the account will be limited in some way, preventing anyone from logging into that account until the limit is lifted. The options in the settings page determine how that is lifted.
To enable and configure the login limiter, visit the
WP Dashboard > Settings > Login With AJAX > Security tab and scroll down to the
Login Limitations section. You will need to enable the feature by clicking the
Enable Login Limitations checkbox to see further options.
Below is further information about the options available to you in the settings, and their context.
Attempts and Timeframe
You can first decide how many login attempts are allowed. By default this is 3, with no timeframe. You can modify the number of times and also make it so that these failed attempts must be within a certain timeframe to block the account.
When an account is blocked, the user will not be able to log in until the account is unblocked. There are a few ways to enable account unblocking.
The first one is time-based; a user will be blocked for x amount of time. After the specificed time frame has passed, the user will be able to log in again. If the user repeatedly keeps providing incorrect logins and triggering a block, they will continue to reset the time they're blocked for.
The second option is a permanent block. This means that the user will need to get in touch with you, the site administrator, to unblock their account manually (for info on how to unblock, see further down this page). Additionally, in this case we'd suggest you provide an email or link to a contact form on the error message which you can customize in an option further down the settings page.
The final option is to trigger 2FA (if 2FA is enabled). By doing so, if a user gets blocked, next time there's a valid login for that account, they'll need to verify their account via an external method such as email which means even if an attacker can guess a password after a few attempts, they wouldn't be able to access an account without a valid email.
Depending on your settings combination above, you will be able to provide certain error messages, such as advising the user how many login attempts they have, or if their account is blocked and for how long. This is entirely optional, leave them blank for default system messages. Whilst adding a message will inform users, it will also inform a potential attacker.
Note If you're using 2FA to unblock an account, you don't need to provide feedback about login limitations, since once successfully logging in they will be directed to verify via 2FA before accessing their account.
If an account is blocked, you can unblock them by searching for their user account in the WP Admin area, and then clicking the unblock link on the search table under their username, or the 'unblock' button on the top of the page when viewing their profile page.