first look at fluentauth a new security plugin

This review is a first look at a free WordPress security plugin called FluentAuth. This is a new plugin from the ManageNinja team, the same people who develop FluentForms, FluentCRM, FluentSupport, FluentSMTP, and other top tier solutions. In this review I’ll first do a walk-through and then we will have some discussion and conclusions.

FluentAuth Video Walk-Through

Why Do You Need a Security Plugin

The first thing you need to do when you bring a new site online is to take care of security. There are hackers and bots that watch for new sites and within a short time start attacking, looking for a weakness. Maybe you have an ecommerce site, a membership site, or a site for your business and so obviously you can’t afford to have it hacked. But suppose you have a simple site, or the site is new. You may think there is nothing of interest, however, you would be wrong. If your site is compromised then it can be used to infect visitors to the site with malware. A hacked site can also be used as part of an automated botnet to attack other people’s sites, and you don’t want that. So, if the site is online it needs to be secured.

FluentAuth on the Web

fluentauth wordpess org

FluentAuth is available for free download from the WordPress plugin directory. As you can see, it is brand new and there aren’t many installs yet.

fluentauth on the web

Here is the FluentAuth website. It has information about the plugin, the people behind it, and some documentation.

Options and Settings

As soon as you activate the plugin, there is a link to take you into the setting area.

fluentauth activated

Core Settings

When you follow the link you go to the core security settings page. In the top righthand corner there is a button to apply the recommended settings.

core security settings screen

The core security features are:

  • Disable XML-RPC
  • Disable REST API Application Login
  • Disable REST API endpoint for users
  • Limit login attempts
  • Magic Login – get a login link sent to your email (by User Role)
  • Two Factor Authentication – Get a code sent to your email (by User Role)
  • How long to keep log files
  • Send an email on successful login (by User Role)
  • Send email on blocked login

Here is the page with those settings applied.

core security settings with suggested options applied

Social Login

On the Social Login settings page you can enable login via an external site. At launch only GitHub is supported but a Google account option is coming soon.

fluentauth social login settings

Login and Signup Forms

FluentAuth provides shortcodes so you can place the registration, login, and password reset forms where it makes sense for you. Each shortcode has the option to set a redirect URL so you can control where the user goes after submitting the form.

fluentauth login signup forms

Login Redirect Rules

You can set default redirect URLs for login and logout. You can also set custom rules by user role and user capabilities. This means you can have different redirects for different user roles.

fluentauth login redirect rules

Dashboard Overview Screen

The dashboard gives you a quick view of your rules and recent logins.

fluentauth dashboard overview

Logs Screen

You can also view the logs to see blocked, failed, and successful logins. You can filter the logs and search the also.

fluentauth view logs screen

Discussion and Conclusions

The ManageNinja team has a number of websites and the FluentAuth plugin was created for use on their own sites. The plugin has four sets of related features. First, there is brute force login protection of the login form, as well as the option to disable XML-RPC login and REST API application login. There is also the ability to disable user enumeration via the REST API. These are features that most every WordPress site needs.

The second feature is the option to allow logins using credentials from other popular social websites. This is a nice convenience feature as it cuts down on the number of logins a user has to maintain. Currently it is only possible to add GitHub as an option, but authentication using your Google login is coming soon.

The third feature set is the ability to add a login form with custom URLs after login and logout, a registration form, and a password reset form, all using shortcodes. This means that you can put these forms on your sites pages where it makes sense to have them.

The fourth feature set is the ability to set a default redirect after login and logout AND the ability to customize the URLs by user role or by user capability.

The FluentAuth plugin doesn’t include every possible security option available. I think the idea was to stay focused and lean. Plans for the future are to add more social login options and to add more options for redirects. For example to redirect based on a FluentCRM tag, a particular course the user is enrolled in, or based on a WooCommerce purchase.

The first set of features, the login form protection, is something that pretty much every site will need. These other features, however, are ones that you would use on a site with multiple users logging in, such as an ecommerce shop, an educational course website, or a membership site.

Coming from the ManageNinja team, we can trust that the plugin is well coded. So, if you have a site with multiple users and want to add login form protection, social login options, custom login redirects, or the ability to customize the placement of login related forms using shortcodes, then FluentAuth will be a good option to checkout.

Some of the links in the post above are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission. You will still pay the same amount so there is no extra cost to you. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”

Similar Posts