=== Plugin Name ===
Contributors: aercolino
Donate link: http://noteslog.com/contact/
Tags: DDoS, IP spoofing, access, account, admin, attack, authentication, block, brute force, control, credentials, dongle, hacker, key, limit, lock, login attempts, login, prevent, private, protect, reject, restrict, security, stop
Requires at least: 1.0
Tested up to: 3.3.1
Stable tag: 1.2.2
This plugin makes the login page for your personal use only by means of a dongle to use as your
login button. Compatible with Limit Login Attempts.
== Description ==
Login Dongle gives you the login for your personal use only, by means of a
conventional challenge >> response mechanism.
* Login Dongle makes a brute force attack impossible without knowing the challenge >>
response associated to the user logging in.
* In order to be able to log in, each user MUST use her own login dongle (a bookmarklet) instead of
the default Log In button.
* Login Dongle is compatible with brute force attack repellers (like Limit Login Attempts).
For more info, please refer to the FAQ
and the user's instructions you'll find on the settings page after installing the plugin.
== Installation ==
1. Upload the `login-dongle` directory to your `wp-content/plugins` directory.
1. Click on `Activate` from the `Plugins` menu.
= Configuration =
1. Configure site settings from the `Settings` menu.
1. Configure your admin settings from the `Users/Your Profile` menu.
1. Configure other users settings from the `Users/All Users` menu.
= Upgrading from any version before 1.3.0 =
Before version 1.3.0, Login Dongle was site-wide available, and all users essentially shared the
same bookmarklet as their login dongle. Starting from version 1.3.0, any user has her own login
dongle. Upgrading from previous versions to 1.3.0 is done by automatically associating to each user
a login dongle with the same challenge >> response as the one that was already site-wide set.
This makes it possible to upgrade hassle free, even if your blog had other users. Anyway, if that
is not what you want, you can configure the login dongle of each user from the `Users / All Users`
menu.
== Frequently Asked Questions ==
= It's not working. What's the problem? =
I'm going to fix any new bugs you find, but try the last stable version, maybe it's already fixed.
* Prior to version 1.2.2
* the jQuery library was not made available on the login page.
* the dongle didn't work with Get New Password button.
* Prior to version 1.2.1
* a valid login could be rejected if the challenge or response contained quotes.
* Prior to version 1.2.0
* the dongle encoding was not compatible with a SmartPhone browser.
* Prior to version 1.1.0
* the challenge could interfere with other login fields.
* the dongle bypassed possible plugins associated to the submit button.
* Prior to version 1.0.4
* the dongle and the activation procedure didn't work due to last minute bugs.
* Prior to version 1.0.3
* it was impossible to install the plugin due to its file structure.
= I've lost my login dongle. How can I access my blog now? =
If you lost your login dongle, you can disable this plugin very fast.
1. Access your blog by means of your usual remote file manager, like an FTP client.
1. Edit the login-dongle.php file in the login-dongle plugin directory.
1. Comment the line $loginDonglePlugin = new LoginDonglePlugin(); by adding // at the
beginning.
1. Save the file back to your site.
This emergency procedure will make the default Log In button work again. After logging in,
go to the installed plugins page and edit the Login Dongle plugin to undo what you did above,
otherwise this plugin will be marked as Active while being inactive. Then you can deactivate it
with the WordPress button or leave it working.
= Is Login Dongle compatible with other login plugins? =
Login Dongle does not touch any element of the standard login functionality (page, fields, buttons,
processing ...) of WordPress, so you should be able to run this plugin alongside any other login
plugin, like the wonderful Limit Login Attempts plugin. If you find issues, feel free to contact me
and I'll have a look.
= Can I use Login Dongle instead of Limit Login Attempts (or the likes)? =
I would not. Login Dongle is designed to work in conjunction with brute force attacks repellers
like Limit Login Attempts and the likes.
What those plugins do is to block access to internet users trying to log in but not being allowed
many times in a row. When that occurs, the recorded intruder's IP is used to reject their following
login requests during some time, even before matching their credentials against the database.
What Login Dongle does is to cut off the processing of the login form if it does not have a special
field (challenge) or if that field does not contain the special value (response) stored in the
database of your blog, even before running the repeller or any special authentication plugins.
To save your precious resources (CPU time and web availability) when under attack, Login Dongle
simply exits with a configurable message, instead of incurring into another page generation cycle.
= Can I use a simple response for my challenge? =
Yes, because if someone stole your dongle, they are supposed to not know the correct response,
which is only stored in the database. If they guess the response, they only gain the right to
process the login form on the server, but they still need to guess your unknown password. That
means that soon they will be locked out by your brute forse attack repeller.
= Limit Login Attempts (or the likes) notified me about some attacks. What can I do? =
Login Dongle makes a brute force attack impossible without knowing the correct challenge >>
response. Anyway, if a brute force attack repeller notifies you of an attack, you only need to edit
the Login Dongle section of your Profile. Change both the challenge and response, and you're done.
As soon as you save your changes, the attack will immediately stop because Login Dongle will expect
the new challenge >> response to be submitted along with the login form.
= Limit Login Attempts (or the likes) notified me about some attacks. How can it be? =
The chances to get notified of an attack after installing Login Dongle are extremely thin.
If it occurred it'd mean that BOTH
1. someone other than you got access to your login dongle at least once; (This can happen if either
you sent your dongle to someone or someone got access to the PC where your dongle is.)
2. they guessed the response to the challenge. (This can happen if either you used a too easy to
guess response for the challenge, like Holmes for Sherlock, or they were so
serious about attacking your blog that they guessed the response using brute force.)
Otherwise, it could be that someone listened to your internet traffic (if it doesn't go through a
secure connection), or kept recording each and every key you press on your keyboard, BUT then (they
know what they do, you can count on it) the least of your problems is them logging into your blog.
= Can I use HTML tags into the message field? =
You can only use p, br, a, strong, and em. (BTW, it can't be longer than 1000 characters)
= What characters can I use into the challenge and response fields? =
Pretty much anything. Even kanji. (BTW, they can't be longer than 20 characters)
== Screenshots ==
1. Configuring site settings.
1. Configuring own profile settings.
1. Configuring other users settings. The only difference is that the Login Dongle section appears at the end.
1. Example of login.
== Changelog ==
= 1.3.1 =
* Fixed a bug related to how WP treats magic quotes.
= 1.3.0 =
* Implemented a login dongle different for each user.
* Made it possible to register without needing a login dongle for the first access.
* Added flags to receive by mail the login dongle codes for backup.
* Changed the maximum length of challenge and response to 20 characters.
* Updated the screenshot and added two more.
* Improved documentation.
= 1.2.2 =
* Fixed dongle functionality by loading jQuery also in the login page.
* Fixed dongle functionality by allowing its use with all login page actions.
* Changed the used hook from wp_loaded to login_init.
* Improved documentation.
= 1.2.1 =
* Fixed support for any character into the challenge and response fields.
* Improved documentation.
= 1.2.0 =
* Added support for SmartPhones.
* Reduced documentation redundancy between the settings page and the FAQ.
* Updated the screenshot.
= 1.1.0 =
* Improved compatibility of the method used to hook into WordPress.
* Improved compatibility of the bookmarklet with any Log In button click events.
* Improved documentation and added a screen shot of the settings page.
= 1.0.5 =
* Added a bit more help into the installation instructions.
= 1.0.4 =
* Fixed two serious bugs.
= 1.0.3 =
* Fixed the repository structure. Again 2.
= 1.0.2 =
* Fixed the repository structure. Again.
= 1.0.1 =
* Fixed the repository structure.
= 1.0 =
* First version.
== Upgrade Notice ==
= 1.2.2 =
Remember to refresh the bookmarked login dongle by grabbing it again from the settings page.
= 1.1.0 =
Remember to refresh the bookmarked login dongle by grabbing it again from the settings page.
== Uninstall Instructions ==
1. Remove the `login-dongle` plugin directory, manually or by means of the `Delete` button in the
`Plugins/Installed Plugins` list.
1. Access the `options` table into the database of the blog. Select the rows with `login_dongle` as
the first word in the `option_name` column, and delete all of them.
If you were using any version prior to 1.1.0, edit the wp-login.php file in the root
directory of your blog and remove the line that begins with do_action('login-start');