Home › Forums › BulletProof Security Free › Lock out all but specific ips from wordpress login
Tagged: Brute Force, IP Allow, IP Block, login, Login Security
- This topic has 11 replies, 3 voices, and was last updated 10 years, 1 month ago by
GC.
-
AuthorPosts
-
Delete account
ParticipantI’ve got cretins trying to get into my wordpress site. I have the login locking system enabled to keep them out after 2 goes but it is becoming tiresome having the admin account locked and me locked out along with it if I haven’t left the bps page up and used it recently enough. Every unique ip I immediately copy into my firewall to block them from getting at the site at all but it is becoming tiresome. I am half wondering whether to turn the auto lock off and give up.
Basically I do not want anyone accessing the login system other than me. Is there a way to do this with the Free version? I thought I had found it and added in the allowed IP addresses with a deny from all in the htaccess file that mentions needing ftp access to alter it. It’s made no difference and logins are still attempted. I don’t want anyone else able to login at all or trigger a lockout.
What is the best way of doing this? I expected it to be in the login security pages but there is nothing. Just how may goes, lockout time etc. Nothing about restricting logins to particular ips.
AITpro Admin
KeymasterYes, there has been a recent rise in Brute Force Login Activity on the Internet.
If someone is logging in with your user account then they know that name of that user account. Note: The email address for each user account is associated with that user account and is stored in your WordPress Database. You will see the email addresses associated with each user account logged in Login Security.
WordPress itself, Plugins and Themes can all display your user account name publicly on your website – typically with the the_author_link() function or other WordPress functions that display the author url and display your user account name publicly.
Here are some Forum links for things that you can do about not exposing and protecting your author name/user account name.
http://forum.ait-pro.com/forums/topic/user-account-locked/
http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/
http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/Blocking by IP address is not effective
Blocking by IP address is not effective and is time consuming and will go on til the end of time since hackers and spammers can switch to and use millions of IP addresses automatically – complete waste of time since you are trying to block an unknown factor – millions of possible IP addresses.We spent months researching blocking by IP address and found that it is a complete waste of time.
http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/Allowing by IP is effective
When Allowing by IP Address you are allowing something that is known/finite that you can control vs trying to block IP addresses that are unknown (as soon as you block an IP address the automated hackerbot/spammerbot program switches to another IP address automatically) . There are also additional options such as the Simple Query String code method in the link below.http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
ParticipantThanks for the info. I’ve just upgraded to Pro as the captcha method looks like it might do the trick as well.
KeymasterYep, JTC Anti-Spam / Anti-Hacker far exceeded our expectations regarding automated spambot registrations and spambot posting. We just posted the results of several months of using JTC Anti-Spam / Anti-Hacker on this Forum site (link below). 0 automated spambot registrations and spambot posts is pretty remarkable. During testing of things like IP blocking methods we were spending 1-2 hours per day cleaning up spambot registrations and spambot posts on this Forum site. That was costly in terms of time spent, but it was necessary research to figure out what really works and what is a waste of time.
JTC Anti-Spam / Anti-Hacker also stops automated hackerbot registrations/form submissions/form posting, but if you are using a common or known WordPress default user account name, such as the “admin” default user account name then you should create a new unique/secure Administrator user account name and delete that default WP “admin” user account.
I also recommend creating another Administrator account for your websites that is ONLY used for logging into your websites and is NEVER used for Posting WordPress Posts or anything else on the website so that that Administrator user account is NEVER displayed publicly anywhere on your website – author URL’s, etc. This leaves you with an alternative Administrator login account that will NEVER be locked out since it is not publicly displayed anywhere on your site.
http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634
KeymasterAlso the most important thing about JTC Anti-Spam / Anti-Hacker is that it is “doing it right”. Form Logins/Registrations/etc are killed if an incorrect CAPTCHA is entered. Form processing checks the CAPTCHA first – if it is incorrect the Login processing/Registration processing is halted at the point and a MySQL connection to your WordPress Database is NOT made. ALL auto-posting spambots and hackerbots are stopped at the CAPTCHA. 😉
ParticipantWhich is is the best place to stop them 😀
KeymasterExactly 🙂
We don’t believe in making negative statements or bad mouthing other plugins, so I will phrase this as diplomatically as I can. While we were doing our research for the optimum method to kill automated bots, we of course looked at what every other plugin was doing in this area. What we found was that some very popular plugins with a lot of downloads/installations are allowing login processing before CAPTCHA processing, which defeats and negates the primary purpose for using a CAPTCHA. Instead of pointing out which plugins are “doing it wrong”, I will instead point out the plugin that we found was “doing it right” – SI CAPTCHA Anti-Spam. JTC Anti-Spam / Anti-Hacker is most similar to that plugin, but we came up with some unique new concepts and techniques to improve on what works so well in that plugin.
GC
ParticipantHi BulletProofSec!
I love your free product, but I’m in a real mess right now. I was tweeking my website to make it more secure b/c there’s been a lot of activity trying to log into my wordpress site. Unfortunately, like a dummy, I was in the whitelist area and added (I think) a 127.0.0.1 and another IP (mine’s), and now when I’m locked out of my wp-admin login to my wordpress site – I get an error message:
http://127.0.0.1/?redirect_to=http%3A%2F%2Friveroflifemission.com%2Fwp-admin%2F&reauth=1
I tried to restore my mysql backup in godaddy, but to no avail, I get the same message. What should I do? Do I need to ftp and delete the plugin? Help please?
GCKeymasterUse FTP or your web host control panel file manager and delete the root and wp-admin .htaccess files. Log back into your site and correct whatever needs to be corrected. I assume you need to correct your .htaccess code in Custom Code (or maybe your IP address in Maintenance Mode). After you have made the .htaccess code corrections and saved your changes, Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button and click the wp-admin folder BulletProof Mode Activate button.
ParticipantJust for clarification, I’ll need to delete the .htaccess file in both the root and wp-admin area – correct?
GC
KeymasterMaybe since I am not sure which .htaccess file/code changes you made. If you only modified/made changes to the root .htaccess file then just delete the root .htaccess file.
ParticipantHallelujah! It worked! It worked! Thank you so very much! I’ll ask my client if they can purchase your pro version!
GC
-
AuthorPosts
- You must be logged in to reply to this topic.