Login Guard — VistoShield

Key Features

🚫

Progressive Lockouts

Escalating lockout durations that increase with repeated failures: 5 minutes after the first threshold, 15 minutes for repeat offenders, and 24 hours for persistent attackers.

📱

Two-Factor Auth (TOTP)

Time-based one-time passwords compatible with Google Authenticator, Authy, and any TOTP app. Includes backup codes for emergency access.

🍯

Honeypot

An invisible form field that catches automated bots. Real users never see or fill it, but bots filling every field are instantly identified and blocked.

📑

Login Logging

Full audit trail of every login attempt with IP address, user agent, username tried, timestamp, and result (success, failure, locked out, 2FA challenge).

✅

IP Whitelisting

Trusted IPs and CIDR ranges bypass all brute force protection. Ideal for office networks or VPN exit nodes that should never be locked out.

📧

Email Notifications

Instant email alerts when an IP address gets locked out, including the IP, location (GeoIP), number of failed attempts, and lockout duration.

How Login Protection Works

Login Guard monitors all authentication attempts to wp-login.php and xmlrpc.php. Failed attempts are tracked per IP address and per username, with independent counters for each.

Lockout Logic

The lockout system uses a progressive approach to handle both casual attackers and persistent threats:

Stage 1 (5 minutes) — triggered after the configurable failure threshold (default: 5 attempts). Most legitimate users who mistyped their password will wait and try again.
Stage 2 (15 minutes) — triggered when the same IP gets locked out a second time within 24 hours. Indicates a more determined attacker.
Stage 3 (24 hours) — triggered on the third lockout within 24 hours. At this point the IP is also reported to the VistoShield daemon for server-level blocking.

All thresholds and durations are configurable. The lockout counter resets after the configured time window (default: 24 hours) with no new failures.

Two-Factor Authentication Setup

Setting up 2FA takes under a minute:

Navigate to your WordPress profile page
Scan the QR code with Google Authenticator or Authy
Enter the 6-digit code to verify setup
Save your 8 backup codes in a secure location

Administrators can enforce 2FA for specific roles (e.g., require it for all admins and editors but leave it optional for subscribers).

Each backup code can only be used once. When all 8 are exhausted, new codes can be generated from the profile page.

Honeypot Mechanism

The honeypot adds a hidden form field to the WordPress login page using CSS to make it invisible to human users. The field uses a randomized name attribute that changes periodically to avoid detection by sophisticated bots. Any submission that includes a value in this hidden field is immediately flagged as a bot and rejected without counting toward the lockout threshold.

This approach has zero impact on legitimate users since the field is not visible or interactive. It works alongside the lockout system as an additional layer of bot detection.