It is very important to watch your WordPress core, plugin and theme files for injected malware code.
In this lesson you will learn about scanning every single bit of your WordPress website core, themes and plugin files against their original version present in plugin and theme repository at WordPress.org.
Sometimes we require locking user accounts may be after given number of incorrect login attempts, because of dictionary attacks, when any author becomes inactive or when you want to ban any user.
I use a plugin User Locker. It lets you lock or deactivate any user account. After you install and activate it, a new menu option appears in Dashboard->Settings->User Locker which shows some default settings.
Limited Number of Login Attempts
Default WordPress installation is vulnerable to dictionary attacks as there is no limit on how many times user can use invalid password and attempt to login again and again. User Locker closes this security flaw by introducing maximum number of invalid login attempts. When someone exceeds this number, the account gets locked, which can be unlocked only by requesting new password (using Lost Password option) or by asking for Admin Support. This makes brute force and dictionary attacks nearly impossible.
Banning Certain User Accounts
It also allows you to disable selected user accounts which restricts user log in even if they know password. This feature is good for banning certain user accounts.
It also allows you to add lock/disable reason, only for your future reference. When account is automatically blocked, plugin can itself add lock reason (this is configurable). By default reason text is displayed on User List only but you can also display it for user after blocked login attempt. You have also option to keep some of them private – just start the reason text with ‘@’ (AT sign).