Apocalypse Meow

Screenshots

Apocalypse Meow’s main focus is addressing WordPress security issues related to user accounts and logins. This includes things like: Brute-force login-in protection; Customizable password strength requirements; XML-RPC and WP-REST access controls; Account access alerts; Searchable access logs (including failed login attempts and temporary bans); User enumeration prevention; Registration SPAM protection; Miscellaneous Core and template options to make targetted hacks more difficult; Security is an admittedly technical subject, but Apocalypse Meow strives to help educate “normal” users about the nature of common web attacks, mitigation techniques, etc. Every option contains detailed explanations and links to external resources with additional information. Knowledge is power! For the less normal among us — system administrators, developers, and other IT professionals — there is also a Premium Version, packed with administrative tools, data visualizations and export functionality, and complete WP-CLI integration for those with nerdier workflows. Requirements Due to the advanced nature of some of the plugin features, there are a few additional server requirements beyond what WordPress itself requires: WordPress 4.4+. PHP 5.6 or later. PHP extensions: (bcmath or gmp), date, filter, json, pcre. CREATE and DROP MySQL grants. Single-site Installs (i.e. Multi-Site is not supported). Please note: it is not safe to run WordPress atop a version of PHP that has reached its End of Life. As of right now, that means your server should only be running PHP 5.6 or newer. Future releases of this plugin might, out of necessity, drop support for old, unmaintained versions of PHP. To ensure you continue to receive plugin updates, bug fixes, and new features, just make sure PHP is kept up-to-date. ðŸ™? Premium Version Apocalypse Meow’s proactive security hardening and attack mitigation features are completely free, and always will be. The Premium Version is intended for IT professionals like system administrators and developers, who require more control over the data and workflow. This version comes with a bunch of advanced tools, offering the ability to: Reset passwords site-wide (with or without email notifications); Detect and revoke old passwords hashed with MD5; Rename the dangerous default “admin” and “administrator” usernames; View and revoke individual user sessions; Export login data in CSV format; Backup and restore plugin settings; Access to hooks and filters to interact with the brute-force login operations; Run operations and view data through WP-CLI; To learn more, visit blobfolio.com. Log Monitoring Some robots are so dumb they’ll continue trying to submit credentials even after the login form is replaced, wasting system resources and clogging up the log-in history table. One way to mitigate this is to use a server-side log-monitoring program like Fail2Ban or OSSEC to ban users via the firewall. Apocalypse Meow produces a 403 error when a banned user requests the login form. Your log-monitoring rule should therefore look for repeated 403 responses to wp-login.php. Additionally, some robots are unable to follow redirects; if your login form requires SSL, you should also ban repeated 301/302 responses to catch those fools. If you have enabled user enumeration protection with the die() option, requests for ?author=X will produce a 400 response code which can be similarly tracked.