Update 3/10: We will be starting the removal across our platform on 3/11 and believe we will be finished on 3/13.
At WP Engine we are committed to keeping your WordPress sites secure. As our customers, you entrust us with that responsibility. With that in mind, we’ve decided to replace the Must Use plugin, Limit Login Attempts, with our proprietary security built into our platform.
Here are answers to questions you may have about this change:
What’s replacing Limit Login Attempts?
We’re replacing the plugin with an addition to our existing proprietary security systems. This addition is intelligent, reactive software that constantly learns and adapts to threats and takes action.
Why are you doing this?
The primary reason is that by bringing this security in house, we can react to the ever-changing security landscape much faster. The Limit Login Attempts plugin hasn’t been updated in two years, forcing us to maintain the code on our platform to ensure compatibility. Secondly, some customers had a poor experience with Limit Login Attempts, sometimes having to change their workflow to accommodate it.
What does this mean?
On Wednesday, March 2nd, we will be removing the Limit Login Attempts plugin from every site on our system. Our platform security will now ensure that bad actors can’t log in to your site.
What do I need to do?
You don’t need to do anything; your security is in our hands. Most customers won’t even notice a change in their sites.
What if I want to continue to use Limit Login Attempts?
While we do not recommend using the plugin any longer as it will not be supported, we won’t prohibit you from reinstalling it. We recommend you install the plugin from the WordPress repository. If you have issues with the plugin, you’ll need to contact the plugin developer, as we cannot provide direct support for the plugin after it is removed.
–Dustin Meza, Senior Manager, Customer Experience Operations
Wow! I’m excited about that, because the plugin has been causing us headaches. If one person in our office locked themselves out, then the entire office got locked out because we are all at the same IP address.
Can you give some more information about the new system and how it will work?
Hey James,
Very glad to hear you’re excited about this change, we had a feeling customers would be!
While I can’t provide too many specifics about the system for security reasons, I can tell you it’s much smarter than just looking at failed login attempts and blocking an IP, we take many more factors into account in a situation such as that, and we don’t anticipate offices being locked out due to one person just forgetting their password.
I’ve noticed that with the Limit Login Attempts plugin, our IP address–our entire office–would get blocked if someone in the office couldn’t remember their password and failed to guess it after so many attempts. Those who were already logged in got kicked out as well. This caused us to “change [our] workflow” sometimes, as mentioned above.
Does this change affect this scenario? Will there be a way to manually bypass a lockout through the WP Engine control panel, for example? I don’t necessarily want to whitelist our IP address; you never know where or how a hacker may try to gain access. The log files for the Limit Login Attempts plugin certainly make it clear that we need the security. I’m just curious to know how this new security system will work and how it will affect us.
Hey Jon,
This change definitely affects the scenario you outline. We believe the replacement system is so smart, that a few users forgetting their password and someone trying to actually brute force or maliciously attempt to login will be seen as completely different, instead of as the same thing, which is the case in the plugin today.
Lockouts will continue to be managed by our team, but all of our testing suggests you won’t be locked out for false positives. We’ll of course be monitoring and always reacting to what we’re seeing as well as the customer experience, so if it’s necessary one day to bring management into customer’s hands, we would do that.
I’m glad to hear it.
Thanks, Dustin!
How quick do you see lockouts being reacted to. As with Jon, we often have a similar issue. We could have a number of people editing pages/posts at the same time, if one gets locked out they all do. When an is locked out, how soon before it is unlocked?
Cheers.
Hey Eoin,
It’s much more than lockouts that we look at, and because of that, we don’t believe the prior scenarios come in to play. When we make the determination to blacklist an IP, it is forever, we are so confident in our process that there is no expiration.
Great news. We’ve been having more and more issues with that plugin as time goes by. Happy to have that sort of protection moved down the stack and in your hands.
Great … must say that I have been in an in-fight with the current system 🙂
…And great that you are still handling bruteforce attemts !
Regards
Jesper
Fantastic. Was about to message support about this the other day but it was a holiday weekend. That plugin seemed to be making quite a few DB queries even if the user was already logged in.
Now no need. Great timing. 🙂
Keep up the great work.
Nice! Thank you 😉
Is there a similar plugin that people recommend that has been updated recently? Just curious.
Hey John,
I would recommend iThemes Security, this plugin is maintained by a top notch dev shop, so you can trust they will keep it updated.
Hi,
great you’re improving this – we had a ticket open recently on this very matter.
My main concern with removing above is this; are you also removing the ability for us to whitelist IPs?
Jon hit the nail on the head, we have clients behind a single IP and someone can lock out the whole shooting match.
Ideally we want some level of control here.
Joel
Hey Joel,
I completely understand your concern, the good news is in all of our testing, the new system is smart enough to distinguish between an attack, and a number of people from an office forgetting their password and attempting to log in multiple times. We fully believe that you will not continue to experience this issue.
Our Support team will definitely be able to whitelist something like an office if you choose, but there should be no need for this.
Would be ideal to reset the lock out in the admin.
I use a password manager. It auto tries to log me into sites when there is a login on the page.
Consequently it is easy to have a string of failed logins.
In particular due to the way in which WPE manages new installs whereby to determine the password you must use the forgotten password tool.
Please consider this.
Would also be good to set username and password for a new install in the backend (rather than forgotten password process.)
Hey Elliot,
We didn’t just copy the functionality in the Limit Login Attempts plugin, we built a whole new system that works so much smarter than X failed login attempts during Y period and lockout. A string of legitimate login attempts that fail will not cause a lockout, the system is much smarter than that. If for some reason there is a need to whitelist an IP, our Support team can do this, but we don’t believe there will be.
I appreciate your feature request and will pass it on to our Product team.
Would like more technical details on how this works, specifically – not completely convinced this is more secure 😉
Also – it’d be great to have the ability to lock down the IP addresses that can log in via the WP Engine User Portal.
Hey Jeremy,
Unfortunately, as with most security systems, we can’t provide the technical specifics around it. We have a hack proof guarantee, so if your site gets hacked, we’ll fix it for free. We wouldn’t be making a change to decrease security with a guarantee like that.
Thanks for the feature request, I’ll be sure to pass this on to our Product team.
Hi there,
We’re using Limit Logins + an additional whitelist plugin to whitelist one specific IP address (which is our licensing server).
Our licensing server pings the site to check a login exists / is valid in order to issue software licenses.
It’s imperative for us that this whitelist remains in place, if you are going to introduce additional security around blocking repeated logins.
Please let me know if I will be affected.
Hello Andrew,
Thanks for the details, because we haven’t tested directly against your licensing servers behavior, I would suggest you contact our Support team to request the IP it uses is whitelisted in the new system, we can do this before it is rolled out so there will be no impact to your workflows.
While I can see how you can strangle the bots more successfully with different tech, the 3 attempts then lock out does deter the human hacker guessing a variety of passwords. My question is this: given that the would be hacker has a good IP will they now have multiple attempts at login? and if so, how do you differentiate the genuine ‘bad memory user’ and a ‘have a go intruder’?
Hey there,
While we can’t release the technical details around the security system, we do believe we have this scenario covered. Seeing as we have a hack proof guarantee, where if your site is hacked we will fix it for free, it wouldn’t be in our best interest to make the system less secure. If you have concerns though, we have no issues with you continuing to use the Limit Login Attempts plugin.
‘Having it covered’ is good enough, as you say, its’ your responsibility to fix it. and yes, let’s not reveal too much about how it work…
Thanks
Excellent, Dustin! What a great security improvement.
Now if WP on WP Engine could be configured to require SSL, even just for login, that would be sweet.
Hey Ken,
Glad you’re excited about the changes we’re bringing to the platform.
As for your second comment, I think you should contact our Support team, if I’m interpreting your statement correctly I believe we can do that no problem.
Yay! I too am excited! We have 51+ sites on WPEngine and sometimes we have issues with that PlugIn.
Thanks for being awesome =)
-Matt
Hi
Also happy to hear good news and how this will simplify the login process!
Thanks for the good work!
Lyse
Since i have install LLA on many of my other sites too, I just wanted to check and make sure you haven’t stopped using plugin for any security holes that WPE has found…
Hey Arthur,
We did not stop using it because of any security issues we found, it was much more about wanting to take our system to the next level.
Awesome to hear!
Hi There
Over the last couple of days a lot of our members have been having difficulty with being locked out of the site after their IPs being whitelisted and their profiles being verified. Could this have something to do with their difficulties? If so, is there a way to enable their profiles as this is severely affecting our capabilities as a networking site.
Kind regards,
Rhiannon
Hey Rhiannon,
This announcement would not have anything to do with their difficulties experienced currently. This new system lives above the site layer, in the network layer, and doesn’t impact anything at a user or profile level. I would imagine that once we make this change, those difficulties would go away, as the only thing locking them out of the site currently would be the Limit Login Attempts plugin we are removing. Unless you have installed additional security plugins that are taking action.
I would check in again next week with anyone having issues and see how their new experience is, if they are having issues, contact our Support team because it would be something else installed affecting them.
why are we not surprised, there are so many people happy about this change 🙂 thankfully that entire office locked out issue is sorted for ever. additionally, i’d recommend having a fall back “admin” access to clearing out such a blockade/lockout, via the my.wpengine.com dashboard perhaps, that’d be really amazing.
also while you guys are at it, can you also please solve the issues where bots like seamalt.com are making us pay for unusable visits to our website, you can block such things en masse, as against, us fighting against them individually, no?
Great news! This plugin can be very annoying, locking out genuine users and preventing work on the site.
Do you recommend installing any security-related plugins on individual websites, or are the in-built WP Engine security features sufficient to secure a website without having to add extra plugins?
Many thanks
Hey Katie,
We’re glad you’re finding this change helpful!
As for any other security plugins, we really only recommend something like WP Stream, which logs all the activity that happens inside the WP-Admin so you have a record. Other than that, you’re good to go!
Great services, customer service & support.
Thank you!
Hi there, thanks so much for this update! I feel a bit more secure 😉
jan
Wow. I was considering this for a WordPress project I have and didn’t know this feature meant blocking the whole IP address. This would really cause a headache especially for the elderly who have a tendency to forget things.
Nice move on this.
Awesome that this has been updated. However, the Limited login plugin has not been removed from our site and has been causing a lot of log in issues over the past week or so. Is there a reason why our site might have been skipped during the removal process? I was not the one who installed it and I am certain that no one else would have tried to reinstall it after the removal process.
Thanks!
Hey Mary,
Glad to hear you’re happy with the change. This is the first time we’ve heard something like this, it’s probably best to contact our Support team through the WP Engine User Portal https://my.wpengine.com so they can investigate and get you taken care of.
Hi! Is it possible to use third party security plugins like WP Cerber https://wordpress.org/plugins/wp-cerber/?
Maybe there is a list of prohibited plugins? Point out, please.
Hello there,
We do provide a list of disallowed plugins on our platform, you can find them here http://wpengine.com/support/disallowed-plugins/
The plugin you reference is not on the list, so you are welcome to install and try it out.
Hey,
You might want to check out BruteGuard: https://bruteguard.co
I use it in conjunction with WPEngine and it works like a charm.
You can use plugin http://wordpress.org/plugins/wp-limit-login-attempts/ fro protecting from brute force attack .
You mentioned that security is “above the site layer”, does this mean that incoming SSL traffic is decrypted prior to reaching the host instance? Also, do you guys publish any materials that cover your overall network security governance?