Home › Forums › BulletProof Security Free › Brute Force Login Protection for multiple sites
Tagged: Brute Force, Login Protection
- This topic has 11 replies, 2 voices, and was last updated 10 years ago by AITpro Admin.
-
AuthorPosts
-
jenni101Participant
Hi,
I’ve just switched to BPS, and sweet so far! I’m trialing the free version first, having had such problems with other WP security plugins.
So, I have a root install of my main wordpress site, with a addon domain sitting in a subfolder (currently a plain html site, but will be changed to a WP site too in near future), and a stock image library software installed in a subfolder, which has it’s own .htaccess file and login.php files etc and works fine at present.
So it looks like this: mysite.com/stockimagelibrary/ and mysite.com/myaddondomain/
Only 2 of us need access to login to the main WP site (and the addon domain), but the stock image library needs all users to register/login at mysite.com/stockimagelibrary/login (or register).
I’d like to know if the Brute Force Login Protection Custom code will only effect the WP logins or whether it will effect everything in my site??
Also I’m looking at buying your pro version, so I can use it on my new WP site too (the addon domain site) and to jack up the overall site security before the stock image library goes live. BUT will the additional security features of the pro version affect access to my image library login and users??
Looking forward to your thoughts…
AITpro AdminKeymaster[A new Topic was created from the orginal Reply]
http://forum.ait-pro.com/forums/topic/htaccess-files-for-multiple-website-domains/
Since you have a root domain site in your hosting account root folder then you will need to be aware of the scenarios above. As long as you have htaccess files for each website and have rules/code for login page processing then each site will follow its own .htaccess file rules/code for login page processing, but if you removed rules/code from a subfolder/subdomain/addon site and the root htaccess file still has rules/code that is doing something with login page processing then the possibility exists that the root .htaccess rules/code will be applied to the subfolder/subdomain/addon sites below it in that parent/child folder relationship.
Example:
Let’s say that you are using this Brute Force Login attack protection code in your root website’s htaccess file that is located in your hosting account root folder and you do not have any wp-login.php htaccess code/rules in a subfolder site’s htaccess file. This root .htaccess file code/rules will be applied to that subfolder site’s Login page since the subfolder site is a child folder of the parent site folder in this particular type of folder/hierarchical relationship. Both the root site and the subfolder site would use/follow this code/rule.# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
So let’s now say that you want Brute Force Login protection on the root website, but do not want Brute Force Login protection on the subfolder site. This is how you would achieve that. In your subfolder site’s .htaccess file you would add this .htaccess code below that says allow everyone access your subfolder site’s wp-login.php Login page. The subfolder/child site will follow its own wp-login.php htaccess rule instead of following the root/parent site’s wp-login.php htaccess rule.
<FilesMatch "^(wp-login\.php)"> Order Allow,Deny Allow from all </FilesMatch>
jenni101ParticipantHi ait-pro admin – wow, that was a fast and full response! thanks! I think I understand OK, and I’ve double checked that both my stock image library software and my addon domain are both in their own separate folders and both have their own .htaccess files.
So far so good.. so it looks like I can add in the brute force login code to my root install wp site’s .htaccess file, then add in the code you mentioned above to my stock image library .htaccess. I will try soon and post here if it causes a problem.
Just one query – you changed my post title to ‘Multi sites’, but i thought as I’d be running them separately this wouldn’t count as a multi site?
Cheers.
AITpro AdminKeymasterYep, this is a Post that I have been meaning to get around to creating for quite a while so yeah it covers the whole range of possibilities when dealing with multiple sites that require different code/security measures and especially in the case/scenario when you have a root website installed in the root of your hosting account. That scenario gets folks a bit lost and it throws me off from time to time during code testing as well, so good to have this all written up and officially posted finally.
I wanted to cover the scenario of having multiple websites installed under a hosting account since this can cause a lot of confusion for folks. I doubt most folks would use the search term “multiple” in a Forum search, but I definitely would so if someone asks a similar question then I can either merge that topic into this one or just post a link to this topic. 😉
jenni101ParticipantOK, thanks. Well I’ve had a few reads of the various code options and am just getting more and more confused about which one to use…
I’ve checked in my .htaccess file, and it shows the ‘placeholder’ for the Brute Force Login code, but should I use the 1st, 2nd or the 3rd lot of code that’s on your info page http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/ ??
Thanks.
AITpro AdminKeymasterThere are actually only 2 main blocks of code. Either the general Server Protocol HTTP/1.0 code (blocks bots but allows anyone to log into your site) or the IP based Brute Force protection code (only allows you to log into you site). There are variations of those 2 blocks of code (you can combine them or use each separately) and an example variation in the case where someone is behind a Proxy.
You would add whichever Brute Force Protection code that you want to use to BPS Custom Code and NOT directly in your htaccess file. See the “How to add/use this Brute Force Login Protection Code on your website” help section.
I should probably organize that topic some more to make it more streamlined/clear. Maybe tomorrow if I have time.
jenni101ParticipantThanks ati-pro admin. OK, I’ve re-read it about 10 times now, to ensure i don’t blow it, as I’ve had some bad experiences which have made me very nervous of these sorts of changes, even though i realise they really need to be done.
So I’ve tried the 2nd block of code (not the IP blocking one) as a first option, and as this was the one displayed in my BPS Custom Code ‘suggestion code’ box! I’ll try accessing my image library logins/registration options later from another computer to see if it’s still OK….
jenni101ParticipantJust thought I’d let you know the outcome after adding the 2nd block of code to my BPS custom code (blocking bots) to my root install site .htacess file – I can still login to my stock image library site and register as a new user (as needed on this part of my site) – so all good. I also double checked with the image library software guy and he didn’t think we’d need to add the ‘allow’ code you mentioned into the image library .htaccess either – so all good!
In fact when i really thought about it, the BPS brute force ‘disallow’ code shouldn’t effect any logins/registrations there as the image library has a different login prefix to worpress, so it wouldn’t effect it anyway – is that correct?
Thanks again.
AITpro AdminKeymasterYes, you are correct. The code is specifically looking for the file name: wp-login.php and will apply the security rules/conditions to only that file. In the bigger picture it is important to know about the heirarchical/recursive nature of .htaccess files so that if a conflict does occur on a child site and the parent site has an .htaccess file then you would want to look at that parent .htaccess file to see if any security rules/code in the parent .htaccess file could be affecting the child site.
jenni101Participantmany thanks again 🙂
jenni101ParticipantJust a quick Q – I’ve just done a new install of w/p in my subfolder for my addon domain (so = myrootdomain.com/myaddondomain.com) and just checked back to your original info above and noticed that you’d added an extra bit about adding in some code to EXCLUDE the rules from applying to my subfolder/domain (as Idon’t want anyone else to login to this one also).
So please can you confirm if I’m right in thinking that if I want to install BPS in my subfolder and for it to run on it’s own .htaccess rules and to be totally independent of the root installed site/rules, that i add in the following code to my root install .htaccess file (via BPS of course) in the Brute Force login protection section:
# Do not apply rules to other child websites & # do not log errors for these child sites RewriteRule ^myaddondomain.com/ - [L]
And then I can run them totally independently so they won’t mess up with each other and they’ll be all sorted if I want to move the myaddondomain.com somewhere else at a later date?
many thanks 🙂
AITpro AdminKeymasterI will be creating a new topic from the info I posted in this topic so that the topic title is better for searchability and will then just add a link to that new topic. To answer your question you would do the steps in this forum topic link to add the RewriteRule for the subfolder site: http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/
-
AuthorPosts
- You must be logged in to reply to this topic.