eSherpa Login Guard

eSherpa Login Guard effectively and intelligently protects your WordPress site from brute-force attacks – Swiss precision, completely without external dependencies.

Key Features:

• Honeypot-first bot defense: JavaScript Honeypot detects non-browser bots and triggers immediate lockout logic.
• Protected username trap: Immediate lockout for defined usernames (e.g., “admin”, “test”), independent of the regular counter.
• Proactive User-Agent blocking: Block known bot signatures before login processing (exact match or substring mode).
• Blocked User-Agent attempt log: Separate log table for blocked User-Agent requests including matching pattern.
• WordPress hardening options: Disable XML-RPC (with fake-user honeypot response), hide REST user endpoint, and block author archive enumeration.
• Optional bot password capture: Store attempted passwords from detected JS-honeypot bots for incident analysis.
• Neutral login error option: Hide username enumeration by using neutral WordPress login error responses.
• Live security visibility: Live alarm in admin, lockout badge in menu, and detailed failed-attempt logs with IP/User-Agent filters.
• Progressive lockout durations: Lockout time increases on repeat offenses (e.g., 15 → 30 → 60 → 120 minutes).
• Login page guidance: Clear countdown and “X attempts remaining” notice for transparent lock state.
• Privacy-compliant: IPs stored only as anonymized hashes.
• Automatic cleanup of old failed attempts (configurable).
• Mobile-friendly admin tables: Horizontal scrolling for wide security tables on small screens, including swipe hint.
• Email notification to admin on attacks against existing users.

Developed in Switzerland – fast, clean, performant, and multilingual ready.

Compatible with WordPress 6.9 and tested up to PHP 8.5.3.