Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 11 months ago by eveli.
-
AuthorPosts
-
NikParticipant
[Topic has been merged into this relevant Topic]
Hello AITpro Admin,Access to WP Administrator Login is denied access Due to IP Address Change.
I added the new IP address to the htaccess (Protect wp-login.php from Brute Force Login Attacks and Block/Forbid Referer Spammers/Referer Phishing) using the C-Panel File Manager. Access is still denied.
Any suggestion to resolve the issue is appreciated.
Thanks,
Nik
AITpro AdminKeymaster@ Nik – Most likely AutoRestore|Quarantine autorestored the root htaccess file. Do these steps to get back into your site.
1. Delete this file first: /wp-content/bps-backup/autorestore/root-files/auto_.htaccess
2. Delete your Root htaccess file.
3. Login to your site.
4. Go to BPS Custom Code, change/edit your IP address in your Brute Force Login protection code and save your changes.
5. Activate Root folder BulletProof Mode.NikParticipantThanks for your prompt reply, AITpro Admin. I followed steps 1 & 2.
1. Delete this file first: /wp-content/bps-backup/autorestore/root-files/auto_.htaccess
2. Delete your Root htaccess file.Login access to site is still denied. 403 Forbidden Error Page.
Any other suggestion is appreciated.Thanks,
Nik
AITpro AdminKeymaster@ Nik – Did you lock your backend using Maintenance Mode? If so, delete your BPS wp-admin htaccess file. If you delete your BPS root or wp-admin files and you are still seeing a 403 then either another plugin you have installed is causing the 403 error or more likely your web host is blocking your IP address and you will need to contact them to unblock your IP address.
NikParticipantThanks for your quick reply, AITpro Admin. No, I didn’t lock my backend using Maintenance Mode.
After many unsuccessful attempts, I renamed bps plugin, replace the root .htaccess with the basic WP .htaccess code, went to the /wp-content/bps-backup, and rename the bps-backup to bps-backup.bk
It worked! I managed the login to the site, delete BPS plugin and re-install, and run the setup again, and update the custom code boxes with the new IP address.
Cheers,
Nik
JoshParticipantHello,
Can’t tell how impressed we are with your plugin. Absolute master peace imo!!! Documentation at your finger tips, every step of the way. It’s honestly been a great user experience. Thanks so much with how you’ve chosen to license BPS as well. Great work. Very well polished at every step. We’re moving from Joomla to WordPress, so we’re learning on the fly.
Couple Questions:
We’re looking to implement your login query string code below. My question is, our site is using https, so am I correct in assuming that I replace https everywhere I see http used?As well, I’m assuming I replace ‘example.com’ with our actual domain name correct?
Curiosity question. We always use wp-admin in the url to login. Is your code protecting both wp-login and wp-admin in the url? Little confused about the differences. They seem to lead to the same place. But then again we only have one administrator user setup accessing the site now.
Thanks for your time. Much appreciated. Keep up the great work.
Josh
// Simple Query String Login page protection function example_simple_query_string_protection_for_login_page() { $QS = '?mySecretString=foobar'; $theRequest = 'http://' . $_SERVER['HTTP_HOST'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING']; $allowed_hosts = array( 'example.com' ); if ( ! isset( $_SERVER['HTTP_HOST']) || ! in_array( $_SERVER['HTTP_HOST'], $allowed_hosts ) ) { header( $_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request' ); exit; } if ( site_url('/wp-login.php'.$QS ) == $theRequest ) { echo 'Query string matches'; } else { header( 'Location: http://' . $_SERVER['HTTP_HOST'] . '/' ); } } add_action('login_head', 'example_simple_query_string_protection_for_login_page');
AITpro AdminKeymaster@ Josh – Thank you for the awesome Kudos! Very much appreciated. Use this code below instead. By default WP will redirect you to the the WP Login page when you try to access the example.com/wp-admin/ URL if you are not logged in to a website. If you have changed that default WP behavior then you will need to add another condition for the /wp-admin URI.
## Hide Login page and wp-admin URI: Force login using only this URI and Query String: http://www.example.com/wp-login.php?mySecretString=foobar ## This function goes in your Theme's functions.php file somewhere near the bottom of your Themes's functions.php file. ## You can change the Query String value to whatever you would like to use instead. ## If your site is using https then change the $theRequest variable and the header Location value to https. function hide_login_page_query_string_login() { $QS = '?mySecretString=foobar'; $theRequest = 'http://' . esc_html( $_SERVER['HTTP_HOST'] ) . '/' . 'wp-login.php' . '?'. esc_html( $_SERVER['QUERY_STRING'] ); if ( site_url( '/wp-login.php' . $QS ) == $theRequest ) { // comment this out after testing is completed echo 'Testing: Query string matches'; } else { header( 'Location: http://' . esc_html( $_SERVER['HTTP_HOST'] ) . '/' ); } } add_action('login_head', 'hide_login_page_query_string_login');
JoshParticipantHi,
Thanks for the reply.
I’m very confused now. I’m basically being redirected back to the home page.
Here’s what the code looks like and the url I’m using to TRY and get to the login page.
function hide_login_page_query_string_login() { $QS = 'sws-my10ftadmin'; $theRequest = 'https://' . esc_html( $_SERVER['HTTP_HOST'] ) . '/' . 'wp-login.php' . '?'. esc_html( $_SERVER['QUERY_STRING'] ); if ( site_url( '/wp-login.php' . $QS ) == $theRequest ) { // comment this out after testing is completed echo 'Testing: Query string matches'; } else { header( 'Location: https://' . esc_html( $_SERVER['HTTP_HOST'] ) . '/' ); } } add_action('login_head', 'hide_login_page_query_string_login');
I saved the above code to the bottom my child theme’s functions.php file. I know this file is working because I only have to other functions defined and they’re working.
And here’s an example of the url I’m using to access the login page:
https://example.com/wp-login.php?sws-my10ftadmin
I’m redirected to my home page
https://example.com
I don’t understand what I’m dong wrong.
AITpro AdminKeymaster@ Josh – You are missing the “?” question mark that denotes a Query String. You do not have Query String Key value pairs either. The question mark means this is a Query String and start processing Query String Key value pairs after denoting a Query String. Also a hyphen or dash is not allowed in Query String Key value pairs or PHP variables. You would need to use a valid character instead, which is an underscore _. Example:
$QS = '?sws_my10ftadmin=fubar';
JoshParticipantI saw your reply about simply adding the missing ?.
Saved my changes and was able to get to the login page and logged in without issue. Weird that this was allowed, according to your latest reply. ;-p
Ok… changed my query string to be ‘?sws_my10ftadmin=fubar’. This works and I’m see the string “Testing: Query string matches” being echoed out as well. Thanks.
IMO, this seems like a very simple solution to thwarting scripts/hackers doing what they do on WP’s login forms as they need to get to them first. So this seems to nip that in the bud with just a few lines of code. Awesome 😀
Question as it relates to the query string code. I have the following set in BPS Pro.
BPS Pro > Login Security > Login Security & Monitoring tab > Max Login Attempts = 3
Does the login security code get triggered in any way by people/scripts attempting to hit WP’s default login pages?
Thanks again.
AITpro AdminKeymaster@ Josh – Login Security login attempts only count if someone has entered a valid username. Just accessing the Login page would not count as a login attempt and entering an invalid username would also not count as a login attempt.
JoshParticipantThanks for the confirmation and help. Much appreciated. Have a great weekend.
David VersteegParticipantAll of a sudden I am locked out of the admin section by the brute force login protection. On the 403-page my IPv6 address is listed; in the bonus code my IPv4 address is whitelisted. Is it possible my hosting provider changed the setup and BPS does not recognize IPv6 addresses? I did not change the setup, and my IPv4 address is still the same. Any suggestion on how to handle this?
AITpro AdminKeymasterDavid Versteeg – I don’t recommend using IP based security protection unless you have a static IP address thing with your particular ISP. Normally IP Addresses are automatically changed every X number of days by your ISP (Internet Service Provider). Web host’s may change IP addresses for your particular site/server from time to time, but very, very rare (ie maybe once in 3-8 years). The more technical end of that answer would be DHCP kind of stuff. Bottom line you do not really need additional IP based security protection with BPS or BPS Pro – it actually causes unnecessary issues/problems.
David VersteegParticipantI do have a static IP – as I mentioned, I already checked whether I had been assigned a new IP address which happens every few years. This was not the case. I have never had issues with the login protection (in use since 2013) and am quite happy with it – until today, that is.
-
AuthorPosts
- You must be logged in to reply to this topic.