This review is a first look at a free WordPress security plugin called FluentAuth. This is a new plugin from the ManageNinja team, the same people who develop FluentForms, FluentCRM, FluentSupport, FluentSMTP, and other top tier solutions. In this review I’ll first do a walk-through and then we will have some discussion and conclusions.
FluentAuth Video Walk-Through
Why Do You Need a Security Plugin
The first thing you need to do when you bring a new site online is to take care of security. There are hackers and bots that watch for new sites and within a short time start attacking, looking for a weakness. Maybe you have an ecommerce site, a membership site, or a site for your business and so obviously you can’t afford to have it hacked. But suppose you have a simple site, or the site is new. You may think there is nothing of interest, however, you would be wrong. If your site is compromised then it can be used to infect visitors to the site with malware. A hacked site can also be used as part of an automated botnet to attack other people’s sites, and you don’t want that. So, if the site is online it needs to be secured.
FluentAuth on the Web
FluentAuth is available for free download from the WordPress plugin directory. As you can see, it is brand new and there aren’t many installs yet.
Here is the FluentAuth website. It has information about the plugin, the people behind it, and some documentation.
Options and Settings
As soon as you activate the plugin, there is a link to take you into the setting area.
Core Settings
When you follow the link you go to the core security settings page. In the top righthand corner there is a button to apply the recommended settings.
The core security features are:
- Disable XML-RPC
- Disable REST API Application Login
- Disable REST API endpoint for users
- Limit login attempts
- Magic Login – get a login link sent to your email (by User Role)
- Two Factor Authentication – Get a code sent to your email (by User Role)
- How long to keep log files
- Send an email on successful login (by User Role)
- Send email on blocked login
Here is the page with those settings applied.
Social Login
On the Social Login settings page you can enable login via an external site. At launch only GitHub is supported but a Google account option is coming soon.
Login and Signup Forms
FluentAuth provides shortcodes so you can place the registration, login, and password reset forms where it makes sense for you. Each shortcode has the option to set a redirect URL so you can control where the user goes after submitting the form.
Login Redirect Rules
You can set default redirect URLs for login and logout. You can also set custom rules by user role and user capabilities. This means you can have different redirects for different user roles.
Dashboard Overview Screen
The dashboard gives you a quick view of your rules and recent logins.
Logs Screen
You can also view the logs to see blocked, failed, and successful logins. You can filter the logs and search the also.
Discussion and Conclusions
The ManageNinja team has a number of websites and the FluentAuth plugin was created for use on their own sites. The plugin has four sets of related features. First, there is brute force login protection of the login form, as well as the option to disable XML-RPC login and REST API application login. There is also the ability to disable user enumeration via the REST API. These are features that most every WordPress site needs.
The second feature is the option to allow logins using credentials from other popular social websites. This is a nice convenience feature as it cuts down on the number of logins a user has to maintain. Currently it is only possible to add GitHub as an option, but authentication using your Google login is coming soon.
The third feature set is the ability to add a login form with custom URLs after login and logout, a registration form, and a password reset form, all using shortcodes. This means that you can put these forms on your sites pages where it makes sense to have them.
The fourth feature set is the ability to set a default redirect after login and logout AND the ability to customize the URLs by user role or by user capability.
The FluentAuth plugin doesn’t include every possible security option available. I think the idea was to stay focused and lean. Plans for the future are to add more social login options and to add more options for redirects. For example to redirect based on a FluentCRM tag, a particular course the user is enrolled in, or based on a WooCommerce purchase.
The first set of features, the login form protection, is something that pretty much every site will need. These other features, however, are ones that you would use on a site with multiple users logging in, such as an ecommerce shop, an educational course website, or a membership site.
Coming from the ManageNinja team, we can trust that the plugin is well coded. So, if you have a site with multiple users and want to add login form protection, social login options, custom login redirects, or the ability to customize the placement of login related forms using shortcodes, then FluentAuth will be a good option to checkout.
