Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 5 years, 1 month ago by eveli.
-
AuthorPosts
-
AITpro AdminKeymaster
David Versteeg – So the simplest solution would be to manually delete your root and wp-admin htaccess files using FTP.
1. Delete your root and wp-admin htaccess files using FTP.
2. Login to your site.
3. Go to BPS Custom Code, delete your IP based security custom code.
4. Save your custom code changes and activate Root and wp-admin BulletProof Modes.David VersteegParticipantOr, alternatively, simply add the following line to the code:
Allow from [put your IPv6 address here]
Works like a charm. While it is possible for IPv4 addresses to leave the last octet(s) blank, this does not seem to work for the IPv6 address. But this does not really matter for a static IP address, anyway.
AITpro AdminKeymasterDavid Versteeg – Glad you figured out something that works. 😉
webstarParticipantI happened to be reading this thread and noticed this part:
https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/#post-7269
Is that code still good? I’m just asking because it was back in 2013.
AITpro AdminKeymaster@ webstar – Yep, that Server Protocol code still works, but be warned that it can cause problems for Proxy/Load Balancer servers and Proxy/VPN Browsers that use the old outdated HTTP/1.0 Protocol.
JensParticipantGood morning,
I blocked wp-admin for those who use Server Protocol HTTP/1.0 or a blank User Agent.
Today I found that in apache access log:
113.226.102.176 – – [22/Sep/2019:04:17:40 +0200] “GET / HTTP/1.0” 301 617 “-” “-”
113.226.102.176 – – [22/Sep/2019:04:18:03 +0200] “GET / HTTP/1.0” 301 617 “-” “-”
207.180.232.44 – – [22/Sep/2019:06:49:37 +0200] “GET / HTTP/1.0” 400 0 “-” “-”
207.180.232.44 – – [22/Sep/2019:06:49:38 +0200] “GET / HTTP/1.0” 400 0 “-” “-”
207.180.232.44 – – [22/Sep/2019:06:49:39 +0200] “GET / HTTP/1.0” 301 4252 “-” “-”
207.180.232.44 – – [22/Sep/2019:06:49:39 +0200] “GET / HTTP/1.0” 200 22863 “-” “-”
207.180.232.44 – – [22/Sep/2019:06:49:39 +0200] “GET / HTTP/1.0” 301 4252 “-” “-”
207.180.232.44 – – [22/Sep/2019:06:49:40 +0200] “GET / HTTP/1.0” 200 22863 “-” “-”Should I be scared? Is it possible to completely block access to the server for http 1.0 or is it not useful?
Thanks, JensAITpro AdminKeymasterThe Server Protocol HTTP/1.0 and/or blank User Agent code is intended to block Bots on your WordPress Login page. The logic is that Bots target WordPress login pages to attempt auto-registration, auto-logins and auto-posting. Since the wp-admin backend area is protected by Login authentication then if someone or a Bot is not logged into your website then they or it cannot access your wp-admin backend area.
I don’t recommend using the Server Protocol HTTP/1.0 and/or blank User Agent code and modifying it to block Server Protocol HTTP/1.0 and/or blank User Agents for your entire website because some Browser Proxies and VPNs may still use the old HTTP/1.0 Server Protocol and you would end up blocking normal visitor traffic to your website.
JensParticipantThanks for your fast answer!
I have got so much requests of 1.Get wp_login, 2. Post wp_login 3. POST /xmlrpc.php distributed within 2 seconds throughout the day that I decided to use htpasswd, I hope that helps…Have a nice day, Jens
AITpro AdminKeymasterYep, some days this site gets attacked by Bots on the Login page at a rate of 100 Requests per second = 6,000 Requests per minute = 360,000 Requests per hour = 8,640,000 per day and the attack can last for 1-4 days. Luckily the way BPS handles these Bot attacks the site performance is not affected at all. In other words, while massive Brute Force Bot attacks are occurring there is no noticeable website performance difference at all.
eveliParticipantHello,
I am planning to add the code to protect login page from Brute Force Login Attacks and I have several questions.
1. If I am using the IP Address based code then I do not need to add the Server Protocol code? Or is it better to use both?
2. I am using Cloudflare. As I understand, in order for this code and Cloudflare to work, I need to whitelist X-Forwarded-For client IP address assigned by CloudFlare. Where can I see that IP address? When I look at BPS System info page, the Proxy X-Forwarded-For IP Address matches the IP address assigned from my ISP provider and I don’t see any additional proxy IP addresses. Is there a problem?
3. If the website is going to be an ecommerce store where users could log in, does this code that protects login page by IP prevents them to login?
4. As I understand this Custom code suggested by BPS limits access to wp-login.php?. What is the difference for using this code or using the code to limit acces to wp-admin by IP? For instance if I created a .htaccess file in wp-admin directory and used the following code:# Block access to wp-admin order deny,allow deny from all allow from x.x.x.x
or this code:
<Limit GET POST PUT> order deny,allow deny from all allow from x.x.x.x </Limit>
?
AITpro AdminKeymasterSince you have a website where other people need to be able to register, login and access wp-admin then you do not want to use either the IP address protection on your login page or block access to your wp-admin area and wp-admin files such as /wp-admin/admin-ajax.php. BPS LSM and JTC are enough protection for login security, brute force attacks, spambots, hackerbots, etc.
eveliParticipantNo, other users don’t need to access wp-admin. I would like to limit login to WordPress for others except myself. So what about these other questions? Could you please recommend?
1. If I am using the IP Address based code then I do not need to add the Server Protocol code? Or is it better to use both?
2. I am using Cloudflare. As I understand, in order for this code and Cloudflare to work, I need to whitelist X-Forwarded-For client IP address assigned by CloudFlare. Where can I see that IP address? When I look at BPS System info page, the Proxy X-Forwarded-For IP Address matches the IP address assigned from my ISP provider and I don’t see any additional proxy IP addresses. Is there a problem?
3. As I understand this Custom code suggested by BPS limits access to wp-login.php?. What is the difference for using this code or using the code to limit acces to wp-admin by IP? For instance if I created a .htaccess file in wp-admin directory and used the following code:# Block access to wp-admin order deny,allow deny from all allow from x.x.x.x or this code: <Limit GET POST PUT> order deny,allow deny from all allow from x.x.x.x </Limit>
AITpro AdminKeymaster1. You can use both the IP Address code and the Server Protocol code together. They are not a “one or the other” thing. They are different things.
2. You would whitelist your IP address and if the Proxy IP address is the same IP address (depends on how your Proxy server is configured) as your IP address then you would not need to add the Proxy IP address too.
3. The Login IP address code only allows your IP address to access wp-login.php, which means that since no one else can login to your website except you then your wp-admin would also be protected and only you could login to your wp-admin area. If you restrict your /wp-admin/ URI and you have plugins or themes that use /wp-admin/admin-ajax.php to do stuff then those plugins or your theme will not work correctly.You can try whatever you would like to try, but if there is a problem then change whatever needs to be changed.
eveliParticipantThanks!
-
AuthorPosts
- You must be logged in to reply to this topic.