Linux 软件免费装

在这里免费安装WordPress以及其他软件

Banner图

Login Armor

开发者 wpformation
更新时间 2026年6月17日 18:27
捐献地址: 去捐款
PHP版本: 8.1 及以上
WordPress版本: 7.0
版权: GPLv2 or later
版权网址: 版权信息

标签

activity log login security brute force hide login limit login

下载

2.3.0 2.4.0 2.1.17 2.1.18 2.1.19 2.1.21 2.0.2 2.0.3 2.0.4 2.1.1 2.1.0 2.1.2 2.1.3 2.1.4 1.0.2 2.1.7 2.1.8 2.0.1 2.1.13 2.1.14 2.1.11 2.1.15 2.1.16 2.0.0 2.1.10 2.1.12 2.1.22 2.1.25 2.1.6 2.1.9 2.0.5 2.1.23 2.1.26 2.2.0

详情介绍:

Twelve security modules. One lightweight plugin. Zero compromise. Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way. Stop juggling Wordfence's bloat, Solid Security's upsells, and Limit Login Attempts' gaps — Login Armor delivers twelve independent modules in about one megabyte. New in 2.4.0 Why Login Armor Twelve independent modules
  1. Hide Login — Replace wp-login.php with a custom slug; the old URL returns a 404, and a branded pre-activation modal lets you pick or generate the slug and emails it to you so you can't lock yourself out. Compatible with multisite, reverse proxies and password-recovery flows.
  2. Brute Force Protection — Cascading lockouts escalating to a 24-hour ban, with subnet blocking and trusted X-Forwarded-For; lostpassword, register, XML-RPC and the REST users endpoint are all gated when an IP is locked, and every lockout surfaces as an incident.
  3. Hardening — Fifteen one-click toggles across surface reduction, credential hardening, request filtering and account monitoring: disable XML-RPC/pingbacks, the file editor, version exposure, application passwords and author enumeration; block reserved usernames (Unicode-confusable detection); add a login honeypot; get alerted on new administrators.
  4. Two-Factor Authentication — TOTP, one-time codes by email and printable backup codes, with trusted devices for thirty days, per-role enforcement, a configurable grace period and an email recovery flow when the authenticator is lost.
  5. Detection and Incidents — A real-time engine groups raw events into six attack patterns, each with a drill-down (timeline, source IPs, target users, severity, UA fingerprint) and one-click actions (reset password, block subnet, mark resolved).
  6. Activity Log — A compliance-ready, tamper-evident (hash-chained) audit trail of admin actions across seven logger domains, with filtering, CSV export, configurable retention and optional signed webhook forwarding to a SIEM.
  7. Login Page Security Headers — Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy and X-Content-Type-Options on wp-login.php and the lockout page, in two presets with an optional CSP report-uri; baseline headers can optionally extend site-wide.
  8. Breach Check — Detect logins using a breached password via privacy-preserving k-anonymity against Have I Been Pwned (only a 5-character SHA-1 prefix leaves the server); optional XposedOrNot email lookup, fail-soft so an outage never blocks login.
  9. Password Policy — Enforce strong, unique passwords at registration, profile update and reset: minimum length and character classes, forbid the username inside the password, optionally reject breached passwords, with optional non-locking expiration nudges.
  10. Session Management — Idle-timeout logout measured on real page loads, a maximum session lifetime regardless of "remember me", an optional single-active-device restriction, and a one-click "sign out all other devices".
  11. IP Geolocation — Show the attacker's country on the Incidents and Events tabs; lazy, cached thirty days, capped per page load, private ranges never sent. Keyless ipwho.is by default, swappable for an offline database via a filter.
  12. Request Firewall — An optional, 8G-inspired PHP filter that blocks malicious query strings, paths, HTTP methods and (opt-in) user-agents/referrers before WordPress loads, on Apache/Nginx/LiteSpeed alike; off by default, starts in monitor mode, never filters admins, skips REST/cron/WP-CLI, with an IP/path allowlist (CIDR). Not scored.
AI Security Briefing (optional) Built on the WordPress 7 native AI Client, one click turns your last thirty days of activity into a plain-language verdict, an IP picture and a short list of prioritised actions; "Explain with AI" does the same on a single incident. Minimised mode (anonymised signals) is the default and deep mode is an explicit opt-in. No API key is stored — it uses your own WordPress AI connector, so provider and cost stay yours. It always leads with a deterministic facts snapshot that works with or without AI. Plus GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies. Douze modules de sécurité. Une seule extension légère. Zéro compromis. Login Armor est une stack complète de sécurité WordPress conçue pour les agences, les freelances et les pros qui livrent des sites prêts à passer un audit. Pas de version premium, pas de tableau de bord marketing intégré, pas de télémétrie. Chaque module tourne en local, embarque des réglages par défaut sécurisés, et reste discret. Fini de jongler entre la lourdeur de Wordfence, les fenêtres d'upsell de Solid Security et les angles morts de Limit Login Attempts — Login Armor regroupe douze modules indépendants en environ un méga-octet. Nouveau en 2.4.0 Pourquoi Login Armor Douze modules indépendants
  1. Masquer la connexion : remplace wp-login.php par une URL personnalisée (l'ancienne renvoie une 404) ; une modale de pré-activation choisit ou génère le slug et vous l'envoie par e-mail pour éviter tout verrouillage. Compatible multisite, reverse proxies et récupération de mot de passe.
  2. Protection contre la force brute : verrouillages en cascade montant à un bannissement de 24 h, blocage de sous-réseaux et support X-Forwarded-For ; lostpassword, register, XML-RPC et l'endpoint REST users sont bloqués pour une IP verrouillée, et chaque verrouillage devient un incident.
  3. Renforcement : quinze bascules en un clic (réduction de surface, identifiants, filtrage des requêtes, surveillance des comptes) — désactiver XML-RPC/pingbacks, l'éditeur de fichiers, l'exposition de version, les mots de passe applicatifs et l'énumération d'auteurs ; bloquer les identifiants réservés (homoglyphes Unicode) ; ajouter un pot de miel ; être alerté à la création d'un administrateur.
  4. Authentification à deux facteurs : TOTP, codes à usage unique par e-mail et codes de secours imprimables, avec appareils de confiance 30 jours, application par rôle, période de grâce configurable et récupération par e-mail en cas de perte.
  5. Détection et incidents : un moteur en temps réel regroupe les événements en six patterns d'attaque, chacun avec une vue détaillée (chronologie, IP sources, comptes cibles, sévérité, empreinte UA) et des actions en un clic.
  6. Journal d'activité : piste d'audit conforme et inviolable (chaîne de hachage) des actions admin sur sept domaines, avec filtrage, export CSV, rétention configurable et transfert webhook signé optionnel vers un SIEM.
  7. En-têtes de sécurité : CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy et X-Content-Type-Options sur wp-login.php et la page de verrouillage, en deux préréglages avec CSP report-uri optionnel ; les en-têtes de base peuvent s'étendre à tout le site.
  8. Détection de fuites : repère les connexions avec un mot de passe fuité via k-anonymat sur Have I Been Pwned (seul un préfixe SHA-1 de 5 caractères sort) ; vérification e-mail XposedOrNot optionnelle, fail-soft.
  9. Politique de mot de passe : impose des mots de passe forts à l'inscription, au profil et à la réinitialisation (longueur, classes de caractères, interdiction de l'identifiant, rejet optionnel des mots de passe fuités), avec expiration optionnelle qui ne verrouille jamais personne dehors.
  10. Gestion des sessions : déconnexion sur inactivité mesurée sur les vrais chargements, durée de vie maximale indépendante de « se souvenir de moi », limitation optionnelle à un seul appareil actif, et « déconnecter tous les autres appareils » en un clic.
  11. Géolocalisation IP : affiche le pays des IP attaquantes dans Incidents et Événements ; recherches paresseuses, cache 30 jours, plafonnées par page, plages privées jamais envoyées. ipwho.is sans clé par défaut, base hors ligne possible via un filtre.
  12. Pare-feu de requêtes : filtre PHP optionnel inspiré du 8G qui bloque chaînes de requête, chemins, méthodes HTTP et (en option) user-agents/referrers malveillants avant le chargement de WordPress, sur Apache/Nginx/LiteSpeed ; désactivé par défaut, démarre en mode surveillance, ne filtre jamais les admins, ignore REST/cron/WP-CLI, allowlist IP/chemins (CIDR). Non noté.
Briefing de sécurité IA (optionnel) Bâti sur le client IA natif de WordPress 7, un clic transforme vos trente derniers jours d'activité en un verdict en langage clair, un panorama des IP et une courte liste d'actions prioritaires ; « Expliquer avec l'IA » fait de même sur un incident. Le mode minimisé (signaux anonymisés) est par défaut, le mode approfondi est un opt-in explicite. Aucune clé API stockée : il utilise votre propre connecteur IA WordPress, le coût et le fournisseur restent les vôtres. Il s'ouvre toujours sur un instantané de faits déterministes, utile avec ou sans IA. En plus Conçu par Login Armor est conçu et maintenu par Fabrice Ducarme de WPFormation, expert WordPress français obsédé par les sites propres, rapides et prêts pour l'audit. On l'utilise sur chaque site qu'on livre. GPL pour toujours. PHP 8.1+. WordPress 6.8+. Zéro dépendance.

安装:

  1. Upload the login-armor directory to /wp-content/plugins/
  2. Activate the plugin through the 'Plugins' menu in WordPress
  3. Go to LoginArmor in the admin menu to configure
For multisite: Network Activate the plugin to apply it across all sites. Setting up Hide Login
  1. Go to LoginArmor > Settings > Hide Login section
  2. Enter your desired login slug (e.g., my-login)
  3. Save settings
  4. Bookmark your new login URL: you will need it to access your admin
Recovering access If you forget your custom login URL:

屏幕截图:

  • Overview dashboard - health cards, security pulse, live event tail, threat banner that surfaces active attacks.
  • Incidents - real-time pattern detection grouped by attack class with severity and one-click resolution.
  • Incident drill-down - full timeline, user-agent fingerprint, suggested actions, escalation flag.
  • Events - complete login attempts log with filters and CSV export.
  • Activity Log - admin action audit trail across seven domains, filterable and exportable.
  • Settings - modular configuration with live security score and a sticky save bar.
  • Hide Login pre-activation modal - pick or generate the secret URL and email it to yourself before flipping the switch.
  • Hardening - thirteen one-click toggles grouped by surface reduction, credential hardening, and request filtering.
  • Two-factor authentication setup - QR code for any authenticator app, copy-paste fallback, and live verification.
  • Breach Check - fully transparent k-anonymity lookups, separate password and email toggles, opt-in email check disabled by default.

升级注意事项:

2.4.0 New: an optional Request Firewall (8G-inspired PHP filter) that blocks malicious requests - off by default, starts in monitor mode (logs without blocking), admins never filtered. Plus a first-run onboarding wizard with a one-click safe baseline. All opt-in; existing sites unchanged. 2.3.0 Account-security release: Password Policy (length/complexity + reject breached passwords via privacy-preserving HIBP), Session Management (idle timeout, max lifetime, single session), and opt-in IP Geolocation. All off by default; nothing changes until you enable it. 2.2.0 New: the AI Security Briefing turns your last 30 days of activity into a plain-language verdict, an IP picture and prioritised actions, on top of a deterministic facts snapshot. Built on the WordPress 7 native AI Client - uses your own connector, no API key stored, runs on click. 2.1.26 Fixes email/backup 2FA bouncing to "session expired" on browsers that don't return the verification cookie on submit (some Chrome setups; Firefox worked). The form now also carries the session token, so login works regardless. Recommended if Email 2FA is enabled. Security unchanged. 2.1.25 Fixes email/backup two-factor verification being rejected ("session expired") in some browsers, notably Chrome, while Firefox worked. The form is now uncached and authenticated by the signed same-site cookie. Recommended if Email 2FA is enabled. 2.1.24 Fixes a fatal error (HTTP 500 / "network error") during authenticator-app (TOTP) setup on hosts whose wp-config.php does not define AUTH_KEY, such as some Infomaniak installs. Recommended if Two-Factor is enabled. Existing setups are unaffected. 2.1.23 Fixes the two-factor login screen: the "use a different method" links now work (and email a fresh code when switching to Email), expired/locked sessions explain themselves, and the authenticator-setup button reports errors. Recommended for 2FA users. 2.1.22 Fixes a Security Score that under-counted active modules: Brute Force and Detection (on by default) are now scored correctly, so the header, the score number and the module list agree. Display and scoring only — recommended for all installs. 2.1.21 Cosmetic patch: cleaner user-agent labels in the Events table — Jetpack/WordPress.com clients are recognised, and long agents are trimmed at a word boundary with an ellipsis instead of a chopped-off string with a dangling parenthesis. 2.1.20 Migration-friendly integrity: a security-key change now shows an amber "Keys changed" advisory with one-click chain re-baseline instead of a false "TAMPERED" alarm. Adds an XML-RPC blind-spot warning when Hide Login is on but XML-RPC stays open. Completes the French translation. 2.1.19 Clearer attack-type labels + descriptions on incidents, French translation of the visible admin tabs, translatable toast notifications, and a fix for the Activity Log integrity badge staying "UNVERIFIED" after a successful verify. Recommended for all installs. 2.1.18 Patch. Fixes "Select all" / bulk actions when incidents are all resolved (checkboxes now on every card) and only labels the attack vector for XML-RPC/REST (no more misleading "via login form"). Recommended for 2.1.17 users. 2.1.17 Feature release. Incidents now show the attack vector (XML-RPC / REST / login form) — spot which attempts bypass your hidden login URL — plus bulk mark-resolved/ignore. Adds a vector column to the incidents table (auto migration). Recommended for all installs. 2.1.16 Bug fix release from an external audit. Fixes plain-permalinks compat (Hide Login URL, REST API allowlist), restores activity-log coverage for 2FA, frontend registration and password reset, and extends Honeypot to WooCommerce + frontend login forms. Recommended for all installs. 2.1.15 Fixes a fatal TypeError when third-party plugins (e.g. WP Fastest Cache) call WordPress URL builders with off-contract argument types. Strict parameter hints relaxed on seven callbacks; return types unchanged. Neutral on canonical WP calls. 2.1.14 Bug fix. The prevent_author_enum hardening toggle no longer blocks the legitimate ?author=N filter in wp-admin Posts/Pages lists ("All / Mine / " links). Public enumeration block unchanged. Three-line fix. 2.1.13 Bug fix. Silent 2FA failure on installs with permalink_structure without trailing slash (e.g. /%postname%) — the verify cookie path mismatched the request path after handle_loaded's normalisation. Fixed cookie path to omit trailing slash. Neutral on trailing-slash installs. 2.1.12 Bug fix. Hide Login rendered without CSS when both apex and www routed to the same WP (shared hosting). Two fixes: canonical-host 301 in Hide Login + host-aware CSP in Login Page Security Headers. Neutral on single-host installs. New filter login_armor_canonical_host_redirect for opt-out. 2.1.11 Bug fix for multisite + domain mapping: the Hide Login URL is now host-aware (picks home_url or site_url from HTTP_HOST), fixing a 2.1.9 regression where mapped subsites redirected to /wp-admin/ (404). Standard and headless installs keep working. 2.1.10 Cosmetic fix. The 404 page served when an anonymous visitor hits /wp-admin/ with Hide Login enabled now renders as a proper WordPress 404 (body class error404, SEO noindex meta, theme 404 template) instead of a half-bootstrapped page. No security or functional change. 2.1.9 Bug fix. Hide Login now builds the rewritten login URL from site_url() (matching wp_login_url() in WP core) instead of home_url(). Fixes silent breakage on multisite headless, WordPress in subdirectory, and reverse-proxy installs. Neutral on standard installs. 2.1.8 Hygiene release after a full 2.1.7 audit. Three LOW fixes: the webhook stats query no longer warns on fresh installs, the lockout_window option is cleaned on uninstall, and five missing French translations were added. No end-user-visible change. 2.1.7 Preventive: hardens the Email 2FA enrollment flow. Failed wp_mail() no longer leaves a half-committed 2FA state, and a new pre-activation modal forces a real test email + a safety-net check before the user can lock themselves out. Recommended for every install where Email-based 2FA is enabled. 2.1.6 Preventive release. Eliminates a latent V2.1.3-style fatal risk in the TwoFactor module. Finishes the uninstall.php cleanup (zero residual data). Surfaces Activity Log integrity coverage scope in admin UI. No new features, no DB migration. 2.1.4 Critical hotfix: 2.1.3 fatal-errored on every fresh install (Class "LoginArmor\ActivityLog\ActivityLog" not found). Sites with Activity Log already enabled were unaffected. Recommended for every install, urgent for new installs. 2.1.3 Critical hotfix: Hardening "Hide WP version" was stripping cache-buster from our own assets, so updates past 2.1.0 were invisible behind hosting CDNs (LiteSpeed LSADC, Cloudflare). Recommended for every install. 2.1.2 Critical hotfix: the Settings tab fatal-errored on every fresh install that had not yet enabled the Activity Log module (Class WebhookDispatcher not found). Recommended for every install. 2.1.1 Activity Log integrity: every row is HMAC-signed and chained, detects any tampering. Optional signed webhook forwarding (SIEM / Slack / Datadog / any HTTPS). New WP-CLI verify-chain. Bundles 6 hardening fixes. Migration automatic. Recommended for every install. 2.1.0 Security: 2FA pending token moved from URL query string to a signed HttpOnly + SameSite=Strict cookie. Closes URL-leak (browser history / Referer / access logs) and DB-leak (clear token no longer in wp_options). Recommended for every install with 2FA enabled. 2.0.5 Security audit pass: REST author-enum scope, optional HSTS, IPv6 subnet fix, 0.0.0.0 placeholder DoS skip, .htaccess admin-rules preservation. No regression. Recommended. 2.0.4 Real fix for the lockout 429 page on hosts with a public page cache (LiteSpeed Cache, WP Rocket, Cloudflare). Recommended after the 2.0.1-2.0.3 sequence. 2.0.3 Hotfix: HTTP/2 stream termination on LiteSpeed/LSAPI for the branded lockout page. Recommended. 2.0.2 Critical fix: 429 branded lockout page now reaches the browser. Recommended. 2.0.1 Branded 429 lockout page on the triggering attempt + Reset Stats UI + correct WP.org banner/icon. Recommended. 2.0.0 First WordPress.org release of the V2 line. Eight independent security modules. Recommended.

常见问题:

Will it lock me out of my own site?

No. Hide Login always sends a one-time recovery URL to the admin email. If you lose the slug, check your inbox. The plugin also honors wp-cli fallback so you can reset anything from SSH.

Does it slow my site down?

No. Everything is lazy-loaded and indexed. On a normal login flow the extra SQL cost is under 2 ms.

Is it compatible with Cloudflare / reverse proxies?

Yes. IP detection honors trusted X-Forwarded-For headers; you pick the header in Settings.

Does it work with multisite?

Yes, subdomain and subfolder. Each site has its own modules, logs, and thresholds.

Can I use LoginArmor alongside Wordfence / iThemes Security / Solid Security?

Yes, but disable overlapping modules on one side to avoid double lockouts.

Where is the data stored?

Three custom tables in your own database: events, incidents, activity. Nothing leaves your server.

How do I migrate my configuration?

Settings are plain WordPress options. Export/import via WP-CLI or any standard options-sync tool.

Is there a pro version?

Not currently. LoginArmor is fully free and open source. GPL forever.

Where can I report bugs or request features?

Support forum: wordpress.org/support/plugin/login-armor/.

更新日志:

2.4.0 Feature release - request firewall, guided onboarding, fuller in-app docs. 2.3.0 Feature release - account-security hardening. 2.2.0 Feature release - the AI Security Briefing. 2.1.26 Fix: email/backup 2FA bouncing to "session expired" on browsers that don't return the verification cookie; the form now also carries the session token. Security unchanged. 2.1.25 Fix: email/backup two-factor verification rejected in some browsers (notably Chrome); the form is now uncached and authenticated by the signed same-site cookie. 2.1.24 Fix: fatal error during authenticator-app setup on hosts whose wp-config.php does not define AUTH_KEY (e.g. some Infomaniak installs). Existing setups unaffected. 2.1.23 Fix: 2FA login screen - "use a different method" links now work, expired/locked sessions explain themselves, and the setup button reports errors. 2.1.22 Fix: the Security Score now counts default-on modules (Brute Force, Detection). Display and scoring only. 2.1.21 Cleaner user-agent labels in the Events table. 2.1.20 Migration-aware Activity Log integrity (amber "Keys changed" instead of a false TAMPERED alarm), an XML-RPC blind-spot warning, and a complete French translation. 2.1.19 Clearer attack-type labels on incidents, translatable admin toasts, French translation of the visible tabs, and an integrity-badge verify fix. 2.1.18 Fix: bulk actions now work when incidents are all resolved; the attack-vector pill shows only for XML-RPC/REST. 2.1.17 Incidents now record and show the attack vector (XML-RPC / REST / login form) and support bulk resolve/ignore. 2.1.16 Plain-permalink fixes (Hide Login URL, REST allowlist), activity-log coverage for 2FA/registration/reset, and Honeypot on WooCommerce and frontend forms. 2.1.15 Fix: fatal TypeError when plugins (e.g. WP Fastest Cache) call WordPress URL builders with off-contract argument types. 2.1.14 Fix: the prevent_author_enum toggle no longer blocks the legitimate ?author=N filter in the wp-admin Posts/Pages lists. 2.1.13 Fix: silent 2FA failure on non-trailing-slash permalinks (e.g. /%postname%) - the verify cookie path mismatched the request path. 2.1.12 and earlier Bug fixes, security hardening and i18n across the 2.1.x and 2.0.x series (Hide Login host-awareness, CSP, lockout delivery, REST scope, IPv6, HTTP/2, Activity Log integrity), through the initial 2.0.0 release. Full per-version notes: CHANGELOG.md in the plugin folder.