WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Home Forums BulletProof Security Pro WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Viewing 7 posts - 31 through 37 (of 37 total)
  • Author
    Posts
  • #30045
    Pako
    Participant

    The code for admin-ajax.php is not really a protection but it prevents Admin Ajax Issue:

    Can you please please below “I have a 404 Error or a Too many redirects error” at this page and tell me if I’m wrong ?
    http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/

    #30046
    Pako
    Participant

    htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.

    Yes it works for /wp-admin/ 🙂

    But now for /login.php?

    #30048
    Pako
    Participant

    I have write this below into Custom Code > Root htaccess File Custom Code > CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:

    And yes it works, I do not know if it’s the right way, but it works fine

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd"
    require valid-user
    </FilesMatch>
    #30050
    Pako
    Participant

    you know what? I have just bought BPS Pro 🙂 and I just wonder if I must keep the user I use here for the forum or the new one I get after buying it…

    #30054
    AITpro Admin
    Keymaster

    Your forum user account is a separate user account for this separate forum site so it can be anything and does not need to be the same as the user account name on the AIT-pro.com main site.

    #31006
    Didier Ludwig
    Participant

    NEW BRUTE FORCE THREAT?

    It looks like hackers can find out usernames even when I have filled out the “Custom Code bottom hotlinking/…” field in the root custom code section of BPS (free), following the instructions from this post here above. And of course, “Root Folder BulletProof Mode (RBM)” is activated (BPS v .54). That setup was on my site since many months, when I received a BPS alert two days ago warning me that both useraccounts have been blocked temporarily (roles: one admin, one shopadmin). I disabled the plugin for a few instants, created two new users,  reactivated the plugin, deleted the old users. Now, within 48hrs, hackers seem to have found out both new usernames, though the usual hack doesnt work, see http://origine.wine/?author=1 . BPS has now logically blocked the new user’s logins, again.

    I hope BPS will find out how this could happen, soon.

    #31007
    AITpro Admin
    Keymaster

    @ Didier Ludwig – This is not a new type of hack recon to find author names/usernames.  See this forum topic for additional thinks you can do to protect your login page:  http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

Viewing 7 posts - 31 through 37 (of 37 total)
  • You must be logged in to reply to this topic.