=== Security & Firewall by CleanTalk === Contributors: shagimuratov, serge00, Aleksandrrazor, sartemd174 Requires at least: 3.0 Stable tag: 1.7 Tested up to: 4.7 Tags: login, bruteforce, login protection, brute force attack, brute force protection, login security, password, password admin, password bruteforce, security, secure, firewall,security log, wordpress security, security plugin, login alerts, brute force,security firewall, personal security, admin security, actions, audit, audit log, audit trail, log, security audit trail, security monitor, security activity log, security alerts, trail, users License: GPLv2 License URI: http://www.gnu.org/licenses/gpl-2.0.html Security FireWall by CleanTalk protects WordPress against Brute force hacks. Security reports to email. Easy-to-use security plugin. Login security. == Description == Security, anti Brute Force firewall. It adds a few seconds delay for any failed attempt to login to WordPress back-end. Security report and security log include login attempts for non-existent accounts. Bots do not know the user logins of your website and they try to use brute force method to find real user logins. CleanTalk security firewall will stop this threat. CleanTalk security firewall is created with maximum regard for the needs of users do not have extensive knowledge of security. Easy-to-use firewall allows you to ensure security and protect your site from brute force. = Security report by email = Every day the plugin sends Security report to your email. The report provides data on the number of incorrect password entries and the IP addresses from which the tried to sign in. = Security Audit Log: control the actions in the admin area to improve the security of your site = Security Audit Log keeps track of actions in the WP Dashboard to let you know what is happening on your blog. With the Security Audit Log is very easy to see user activity in order to understand what changes have done and who made them. Security Audit Log shows who logged in and when and how much time they spent on each page. = Brute force security = Brute force attack is an exhaustive password search to get full access to an Administrator account. Passwords are not the hard part for hackers taking into account the quantity of sent password variants per second and the big amount of IP-addresses. Brute force attack is one of the most dangerous attacks as an intruder gets full access to your website and can change your code. Consequences of these break-ins might be grievous, your website could be added to the [botnet] and it could participate in attacks to other websites, it could be used to keep hidden links or automatic redirection to a suspicious website. Consequences for your website reputation might be very grievous. = Anti Brute force security = The plugin is effective — it doesn't load the server, doesn't enquire the database and doesn't create any tables. It doesn't put anything in ".htaccess" as it could have a negative effect on your website accessibility or block the access to Administrator profile. The plugin takes optimal delay time between login attempts when a user corrects his credentials and tries to log in again. These seconds are more than enough for a user. If a user didn't make it in time — he can always retry and the delayed time will be nullified. FireWall reduces the effectiveness of of brute-force attacks. A bot spends milliseconds to submit passwords, but the firewall allows to do it once in several seconds. If a bot needed a few months to find correct password, the protection prolongs the time to several years. = How to improve security on your own WordPress website. This a short list for WP security = * Don't publish posts and comments from the administrator account. * Create other accounts for each administrator with another role such as Author or Editor. It all depends on your needs. Assign people to the appropriate roles and you'll greatly reduce your security risk. * If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. * Backups are invaluable. If you have a recent backup of your site then you will be able to restore it back to normal no matter what bad thing might happen. Use these easy tips for WP security to avoid serious consequences. = Security Log = Security log keeps online a log of attempts to log in. Security log includes IP/Country/data/time, username and action result, was authorization successful or failed. **Security FireWall by CleanTalk** helps of WordPress administrators, owners and security professionals ensure the security of their websites and blogs before they become a security problem. WordPress is the most popular CMS and therefore it's a frequent target for brute force attacks. Due to the nature of these attacks, you may find your server's memory goes through the roof, causing performance problems. This is because the number of HTTP requests (that is the number of times someone visits your site) is so high that servers run out of memory. The dictionary attack is a password attack that attempts to determine a password by trying words from a predefined list, or dictionary, of likely passwords. A “dictionary attack” is similar and tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords. Sometimes, rather than trying many passwords against one user, another brute force attack method is to try one password against many usernames. This technique is worth noting as it is where most account lockout policies fail. This brute force attack is less common, however, because it's often difficult for the attacker to compile a sufficiently large volume of usernames for the reverse attack. Brute-force attacks become faster and more effective with each passing day as newer, faster computer hardware is released. There are a number of techniques for preventing brute force attacks . A better, albeit more complicated technique is progressive delays. With progressive delays, user accounts are locked out for a set period of time after a few failed login attempts. The lock-out time increases with each subsequent failed attempt. This prevents automated tools from performing a brute force attack and effectively makes it impractical to perform such an attack. CleanTalk security firewall uses this method to block brute force attacks. = Free trial then $20 per year = All logs are stored in the cloud for 45 days. Security by CleanTalk is a free plugin which work with the premium Cloud service cleantalk.org. This plugin as a service https://en.wikipedia.org/wiki/Software_as_a_service. = TODO = * Change time of Daily report to 10am. * Add a malware scanner. * Fix issue with 'Fatal error: Uncaught exception 'phpmailerException' with message 'Invalid address: wordpress@*.org'' == Screenshots == 1. Security report. The report includes list of Brute force attacks or failed logins and list of successful logins. The plugin sends the reports daily. 1. Brute-force attacks log. The log includes list of attacks for past 24 hours and shows only last 20 records. To see the full report please check the Daily security report in your Inbox (bond@cleantalk.org). == Changelog == = 1.7 December 12 2016 = * Added support for WPMS. * Personal log possibility for each website. * Translation system attached. * Varnish extension compatibility. = 1.6.1 November 29 2016 = * Fixed error for some PHP versions. = 1.6 November 29 2016 = * Cloud service API key. * Cloud service dashboard. * Logs are stored in Cloud. * Protection status. * Code optimization. = 1.5.2 November 16 2016 = * Fixed conflict with CleanTalk Anti-spam plugin. = 1.5.1 November 14 2016 = * Fixed and improve log. * Fixed database error. * Changed update logic. = 1.5 November 13 2016 = * Logging viewed admin's page. * Counting viewed time. = 1.4.3 November 2 2016 = * Fixed issue with Security report. On some hostings the report couldn't be send by WP Cron because of PHP Fatal error with spbc_report_country_part(). = 1.4.2 October 20 2016 = * Improved the Security log. The new version includes brute force attacks to find WordPress accounts. * Applied changes to localize the plugin via Translating WordPress.org. * Minor backend fixes. = 1.3.1 September 29 2016 = * Fixed issue with PHP 5.2 and Security reports. * Fixed issue with WordPress notice after plugin activation. = 1.3 September 20 2016 = * Added a log of last 20 events (login, logout, auth failed and etc.) in WordPress backend to the plugin settings. * Added WP cron call for every auth_failed event. This fix has been made to avoid issue with missed Daily security reports on low visited web sites. = 1.2.3 September 14 2016 = * Added a country name in the Daily report for each IP address in the list of Brute-Force attacks. * Minor changes with WP Cron integration. = 1.2.1 September 5 2016 = * Fixed issue with Daily security report. Previous version (1.2) didn't send the report. = 1.2 September 2 2016 = * Added Daily security report. The report includes list of Brute-force attacks or failed logins and list of successful logins. = 1.1.1 August 29 2016 = * Removed some statement to debug the plugin. = 1.1 August 29 2016 = * Added 10 seconds delay for a failed attempt if more then 5 failed attempts have been made for past 1 hour. = 1.0.1 August 24 2016 = * Minor fix. = 1.0 August 19 2016 = * First release with anti brute force hacks protection. == Upgrade Notice == = 1.7 December 12 2016 = * Added support for WPMS. * Personal log possibility for each website. * Translation system attached. * Varnish extension compatibility. = 1.6.1 November 29 2016 = * Fixed error for some PHP versions. = 1.6 November 29 2016 = * Cloud service API key. * Cloud service dashboard. * Logs are stored in Cloud. * Protection status. * Code optimization. = 1.5.2 November 16 2016 = * Fixed conflict with CleanTalk Anti-spam plugin. = 1.5.1 November 14 2016 = * Fixed and improve log. * Fixed database error. * Changed update logic. = 1.5 November 13 2016 = * Logging viewed admin's page. * Counting viewed time. = 1.4.3 November 2 2016 = * Fixed issue with Security report. On some hostings the report couldn't be send by WP Cron because of PHP Fatal error with spbc_report_country_part(). = 1.4.2 October 20 2016 = * Improved the Security log. The new version includes brute force attacks to find WordPress accounts. * Applied changes to localize the plugin via Translating WordPress.org. * Minor backend fixes. = 1.3.1 September 29 2016 = * Fixed issue with PHP 5.2 and Security reports. * Fixed issue with WordPress notice after plugin activation. = 1.3 September 20 2016 = * Added a log of last 20 events (login, logout, auth failed and etc.) in WordPress backend to the plugin settings. * Added WP cron call for every auth_failed event. This fix has been made to avoid issue with missed Daily security reports on low visited web sites. = 1.2.1 September 5 2016 = * Fixed issue with Daily security report. Previous version didn't send the report.