{"id":269080,"date":"2025-12-25T08:46:29","date_gmt":"2025-12-25T08:46:29","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/esherpa-login-guard\/"},"modified":"2026-03-03T08:32:43","modified_gmt":"2026-03-03T08:32:43","slug":"esherpa-login-guard","status":"publish","type":"plugin","link":"https:\/\/bal.wordpress.org\/plugins\/esherpa-login-guard\/","author":16590138,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"3.0.0","stable_tag":"3.0.0","tested":"6.9.4","requires":"5.6","requires_php":"7.4","requires_plugins":null,"header_name":"eSherpa Login Guard","header_author":"Ralf Naumann","header_description":"Intelligenter Login-Schutz mit progressiver Sperrzeit, Countdown und Admin-\u00dcbersicht.","assets_banners_color":"f8f0f1","last_updated":"2026-03-03 08:32:43","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/esherpa.ch\/login-guard","header_author_uri":"https:\/\/esherpa.ch","rating":0,"author_block_rating":0,"active_installs":0,"downloads":205,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"2.5.1":{"tag":"2.5.1","author":"r2d3","date":"2025-12-25 08:46:33"},"2.5.4":{"tag":"2.5.4","author":"r2d3","date":"2026-01-05 17:35:00"},"3.0.0":{"tag":"3.0.0","author":"r2d3","date":"2026-03-03 08:32:43"}},"upgrade_notice":{"":"<p>Simply update \u2013 all settings are preserved. New features are available immediately.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3427167,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3427167,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3427167,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3427167,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.5.1","2.5.4","3.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3427167,"resolution":"1","location":"assets","locale":""},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3427167,"resolution":"2","location":"assets","locale":""},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3427167,"resolution":"3","location":"assets","locale":""},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3427167,"resolution":"4","location":"assets","locale":""},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3427167,"resolution":"5","location":"assets","locale":""}},"screenshots":{"1":"Lockout message with large countdown and plugin credit","2":"Early warning on login page with remaining attempts","3":"Admin overview with currently locked IPs, live alarm, and unblock option","4":"Detailed logs of failed attempts (including attempted username)","5":"Successful logins &amp; logouts in separate view","6":"Comprehensive settings including honeypot users, protected names, and additional protections"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[166108,46125,598,1229,222218],"plugin_category":[54],"plugin_contributors":[],"plugin_business_model":[],"class_list":["post-269080","plugin","type-plugin","status-publish","hentry","plugin_tags-bot-protection","plugin_tags-brute-force-protection","plugin_tags-honeypot","plugin_tags-login-security","plugin_tags-wordpress-hardening","plugin_category-security-and-spam-protection","plugin_committers-r2d3"],"banners":{"banner":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/banner-772x250.jpg?rev=3427167","banner_2x":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/banner-1544x500.jpg?rev=3427167","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/icon-128x128.png?rev=3427167","icon_2x":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/icon-256x256.png?rev=3427167","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/screenshot-1.jpg?rev=3427167","caption":"Lockout message with large countdown and plugin credit"},{"src":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/screenshot-2.jpg?rev=3427167","caption":"Early warning on login page with remaining attempts"},{"src":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/screenshot-3.jpg?rev=3427167","caption":"Admin overview with currently locked IPs, live alarm, and unblock option"},{"src":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/screenshot-4.jpg?rev=3427167","caption":"Detailed logs of failed attempts (including attempted username)"},{"src":"https:\/\/ps.w.org\/esherpa-login-guard\/assets\/screenshot-5.jpg?rev=3427167","caption":"Successful logins &amp; logouts in separate view"}],"raw_content":"<!--section=description-->\n<p><strong>eSherpa Login Guard<\/strong> effectively and intelligently protects your WordPress site from brute-force attacks \u2013 Swiss precision, completely without external dependencies.<\/p>\n\n<p><strong>Key Features:<\/strong><\/p>\n\n<ul>\n<li><strong>Honeypot-first bot defense<\/strong>: JavaScript Honeypot detects non-browser bots and triggers immediate lockout logic.<\/li>\n<li><strong>Protected username trap<\/strong>: Immediate lockout for defined usernames (e.g., \"admin\", \"test\"), independent of the regular counter.<\/li>\n<li><strong>Proactive User-Agent blocking<\/strong>: Block known bot signatures before login processing (exact match or substring mode).<\/li>\n<li><strong>Blocked User-Agent attempt log<\/strong>: Separate log table for blocked User-Agent requests including matching pattern.<\/li>\n<li><strong>WordPress hardening options<\/strong>: Disable XML-RPC (with fake-user honeypot response), hide REST user endpoint, and block author archive enumeration.<\/li>\n<li><strong>Optional bot password capture<\/strong>: Store attempted passwords from detected JS-honeypot bots for incident analysis.<\/li>\n<li><strong>Neutral login error option<\/strong>: Hide username enumeration by using neutral WordPress login error responses.<\/li>\n<li><strong>Live security visibility<\/strong>: Live alarm in admin, lockout badge in menu, and detailed failed-attempt logs with IP\/User-Agent filters.<\/li>\n<li><strong>Progressive lockout durations<\/strong>: Lockout time increases on repeat offenses (e.g., 15 \u2192 30 \u2192 60 \u2192 120 minutes).<\/li>\n<li><strong>Login page guidance<\/strong>: Clear countdown and \"X attempts remaining\" notice for transparent lock state.<\/li>\n<li><strong>Privacy-compliant<\/strong>: IPs stored only as anonymized hashes.<\/li>\n<li><strong>Automatic cleanup<\/strong> of old failed attempts (configurable).<\/li>\n<li><strong>Mobile-friendly admin tables<\/strong>: Horizontal scrolling for wide security tables on small screens, including swipe hint.<\/li>\n<li><strong>Email notification<\/strong> to admin on attacks against existing users.<\/li>\n<\/ul>\n\n<p>Developed in Switzerland \u2013 fast, clean, performant, and multilingual ready.<\/p>\n\n<p>Compatible with WordPress 6.9 and tested up to PHP 8.5.3.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Search for the plugin in \"Plugins \u2192 Add New \u2192 'esherpa login guard'\" or upload and activate.<\/li>\n<li>Optional: Adjust settings under \"Login Guard\" in the admin menu (e.g., max failed attempts, base lockout time, protected usernames).<\/li>\n<li>Done \u2013 protection runs automatically.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"how%20are%20ips%20stored%3F\"><h3>How are IPs stored?<\/h3><\/dt>\n<dd><p>Only as anonymized MD5 hashes \u2013 no plain-text IPs in the database (GDPR-compliant).<\/p><\/dd>\n<dt id=\"can%20i%20manually%20unblock%20ips%3F\"><h3>Can I manually unblock IPs?<\/h3><\/dt>\n<dd><p>Yes \u2013 directly in the admin overview with one click (counter is reset).<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20caching%20plugins%3F\"><h3>Does it work with caching plugins?<\/h3><\/dt>\n<dd><p>Yes \u2013 protection hooks early on wp-login.php, before caching.<\/p><\/dd>\n<dt id=\"what%20happens%20on%20successful%20login%3F\"><h3>What happens on successful login?<\/h3><\/dt>\n<dd><p>All counters and locks for that IP are immediately cleared.<\/p><\/dd>\n<dt id=\"can%20i%20still%20use%20xml-rpc%3F\"><h3>Can I still use XML-RPC?<\/h3><\/dt>\n<dd><p>Yes \u2013 simply disable the option. When enabled, XML-RPC is fully disabled and a honeypot is activated.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>3.0.0<\/h4>\n\n<ul>\n<li>Release: Version bump to 3.0.0 for the current major feature set.<\/li>\n<li>UI (Mobile): Admin log tables are now horizontally scrollable on small screens.<\/li>\n<li>UI (Mobile): Added a visible swipe\/scroll hint for wide tables.<\/li>\n<li>UI: Reduced \"blocked User-Agent attempts\" list in admin overview from 50 to 20 entries for better readability.<\/li>\n<li>Docs: Expanded README feature list (proactive User-Agent blocking, blocked-UA logs, neutral login errors, bot password capture, mobile table UX).<\/li>\n<\/ul>\n\n<h4>2.7.0<\/h4>\n\n<ul>\n<li>Feature: JavaScript Honeypot for automatic bot detection with progressive lockout (like protected usernames)<\/li>\n<li>UI: Visual bot indicators (\ud83e\udd16 emoji) in both locked IPs and failed attempts tables<\/li>\n<li>UI: Clickable User-Agent filtering in all log tables (like IP filtering) - optimized display to 100 chars<\/li>\n<li>Security: Enhanced bot detection combining multiple methods<\/li>\n<li>Fix: XML-RPC Honeypot now generates properly formatted XML without double-escaping<\/li>\n<\/ul>\n\n<h4>2.6.0<\/h4>\n\n<ul>\n<li>Security: Fixed critical IP address handling vulnerability - now properly supports proxy headers<\/li>\n<li>Feature: Added comprehensive User-Agent logging to all login attempts and successful logins<\/li>\n<li>Feature: Added JavaScript Honeypot for automatic bot detection (1-hour lockout)<\/li>\n<li>Performance: Optimized admin menu badge query with caching<\/li>\n<li>Security: Enhanced input validation with reasonable limits on all settings<\/li>\n<li>UI: Visual bot indicators in admin tables with \ud83e\udd16 emoji<\/li>\n<li>Code: Improved code formatting and consistency throughout<\/li>\n<\/ul>\n\n<h4>2.5.4<\/h4>\n\n<ul>\n<li>Fix: Immediate lockout for protected usernames (honeypot usernames) was setting back attemts and multipliers<\/li>\n<li>Sort by IP -&gt; Better overview for single IP hashs.<\/li>\n<li>Improved design for mobile<\/li>\n<\/ul>\n\n<h4>2.5.1<\/h4>\n\n<ul>\n<li>Immediate lockout for protected usernames (honeypot usernames)<\/li>\n<li>Live alarm for new failed attempts on admin page<\/li>\n<li>Email notification on attacks against existing users<\/li>\n<li>Extended XML-RPC honeypot with configurable fake users<\/li>\n<li>Automatic cleanup of old failed attempts<\/li>\n<li>Improved design and many detail enhancements<\/li>\n<\/ul>\n\n<h4>2.1.1<\/h4>\n\n<ul>\n<li>Full multilingual support (DE\/EN\/FR\/IT)<\/li>\n<li>Confirmed compatibility with WordPress 6.9 and PHP 8.3<\/li>\n<li>Minor optimizations<\/li>\n<\/ul>\n\n<h4>2.0<\/h4>\n\n<ul>\n<li>Introduced progressive lockout times<\/li>\n<li>Admin menu with red badge for active locks<\/li>\n<li>Improved user guidance<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>Initial stable release<\/li>\n<\/ul>","raw_excerpt":"Intelligent login protection with honeypot detection, WordPress hardening, and a clear security admin overview.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/269080","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=269080"}],"author":[{"embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/r2d3"}],"wp:attachment":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=269080"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=269080"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=269080"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=269080"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=269080"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=269080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}