WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Home Forums BulletProof Security Pro WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Tagged: , , , , , ,

Viewing 15 posts - 16 through 30 (of 37 total)
1 2 3
  • Author
    Posts
  • June 26, 2016 at 12:40 am #30023
    AITpro Admin
    Keymaster

    What type of Network|Multisite is your site?  Subdomain standard, Subdirectory standard, Subdomain GWIOD or Subdirectory GWIOD?

    June 26, 2016 at 12:48 am #30025
    Pako
    Participant

    Hi
    Mapped domains i.e.:

    www.primary-site.com
www.chield-side.com
    June 26, 2016 at 12:58 am #30026
    AITpro Admin
    Keymaster

    Ok let’s try this instead – what do you see when you add this Query String on the end of an URL|URI:  Example:  http://forum.ait-pro.com/?author=1

    June 26, 2016 at 1:08 am #30027
    Pako
    Participant

    I see the author page archive like http://www.primary-site.com/blog/author/my-username/

    June 26, 2016 at 1:13 am #30028
    AITpro Admin
    Keymaster

    Oh ok yeah we are looking into the change the WP recently made with internal Rewriting.  It appears that WP has made major changes to internal Rewriting that negate this particular htaccess Author Enumeration Bot Probe Protection on Network sites.  We assume this was done intentionally by WP, but maybe this is just a new problem that needs a new solution. 😉  We will fiddle around with this in the next couple of days and post our findings here after fiddling.

    June 26, 2016 at 1:24 am #30029
    Pako
    Participant

    Thanks a lot 🙂

    So I’ll wait before switching from Wordfence because as multisite username can be found: it’s also possible to anyone who has this username to lockout this account if BPS Login Security & Monitoring is activated 🙁

    Question: BPS do not have the same option as Wordfence like blocking people who are trying to log in with as username that I defined as forbiden?

    Thanks

    June 26, 2016 at 1:31 am #30030
    AITpro Admin
    Keymaster

    Well I don’t want to negate Wordfence, but Wordfence is for amateurs and BPS Pro is…to say it plainly, for folks who want real website security protection. 😉  We think Wordfence is ok, but we have created something that is “bulletproof”/far superior. 😉  Overall, whether or not a Bot got your author name would not matter if you have BPS Pro since JTC Anti-Spam|Anti-Hacker would stop the hacker or spammer.

    A perfect example is this forum site.  We don’t bother with trying to block or hide or do anything at all with author/usernames because we are using BPS Pro JTC Anti-Spam|Anti-Hacker so there is no need to use the Author Enumeration Bot Probe Protection on this site at all. The Author Enumeration Bot Probe Protection Bonus Custom Code was created for BPS free plugin users. 😉

    June 26, 2016 at 1:49 am #30033
    Pako
    Participant

    (lol) you have me almost convinced to buy the pro version 😉 but I need other answers before like how to manage wp rocket htaccerss stuff nicely: http://forum.ait-pro.com/forums/topic/wp-rocket-plugin-htaccess-code-where-to-put-it/#post-30024

    Thanks again

    June 26, 2016 at 2:02 am #30034
    AITpro Admin
    Keymaster

    Ok I’ll take a look at your other post and post an answer.  We don’t do a hard sell with BPS Pro, but this is a pretty impressive fact – “BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 20,000 websites worldwide. Not a single one of those 20,000+ websites in 5+ years has been hacked.”

    June 26, 2016 at 2:37 am #30039
    Pako
    Participant

    (is Block Bad Queries (BBQ) plugin usefull if I buy BPS Pro?)

    June 26, 2016 at 2:40 am #30040
    AITpro Admin
    Keymaster

    Honestly, nope BBQ is not going to add any additional security protection that BPS and BPS Pro do not already do/have.

    June 26, 2016 at 3:01 am #30041
    Pako
    Participant

    great 🙂

    And last questio (I promis) I’m trying to find where I must write the rules I had before BPS install like .htaccess autentification, you know all atht stuff:

    ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>

    This was to protect login.php but I had the same in /wp-admin .
    All those rules was wrote by my Cpanel.

    June 26, 2016 at 3:09 am #30042
    AITpro Admin
    Keymaster

    Your BasicAuth htaccess code goes in this BPS wp-admin Custom Code text box:  CUSTOM CODE WPADMIN TOP:
    wp-admin password protection & miscellaneous custom code here

    You don’t need to add the ErrorDocument htaccess code because BPS already has/uses that code.

    June 26, 2016 at 3:20 am #30043
    Pako
    Participant

    Oupss I can’t find the text box you said… 🙁
    But to be more precise I was protecting 2 things:
    root login.php with rules in my root .htaccess file and /wp-admin/ with rules in my /wp-admin/  .htaccess file
    This one was a little bit different :

    # Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd"
require valid-user
    June 26, 2016 at 3:26 am #30044
    AITpro Admin
    Keymaster

    BPS already protects the admin-ajax.php file by default so you don’t need that code either.

    htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.

  • Author
    Posts
Viewing 15 posts - 16 through 30 (of 37 total)
1 2 3
  • You must be logged in to reply to this topic.