Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 11 months ago by eveli.
-
AuthorPosts
-
AITpro AdminKeymaster
You can post it in the Forum here. Copy and paste the entire contents of your root .htaccess file from the BPS htaccess File Editor page >>> “Your Current root htaccess file” tab window. Do not copy it from anywhere else so that I know it is actually your currently active root .htaccess file and not the secure.htaccess master file or another htaccess file besides your actual root .htaccess file.
billParticipantDeleted the rest of your root .htaccess file code since I just wanted to see if there was some other code that was interfering with this code.
# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE # Protect wp-login.php from Brute Force Login Attacks <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from mywebsite.com # Add your website/Server IP Address Allow from 226.132.811.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 217.11.91.489 </FilesMatch>
AITpro AdminKeymasterYou’re using a full IP Address (4 octets xx.xx.xx.xx) instead of 3 octets xx.xx.xx. , but other than that I do not see any problems. The code should be working. Not really sure what it is not working to tell you the truth???
billParticipantYes, both my personal and server IP addresses have 4 octets.
But, I thought it was very strange too, because your instructions were detailed and to the point… I’m stumped. If something comes to mind please let me know (I will be checking this thread periodically/often for updates/chime ins). But in the meanwhile, with login security enabled –although it still allows gibberish login entries/attempts (as described above; still unsure why)– I should still be ok (protected from Brute Force Logins and everything else)?
AITpro AdminKeymasterBPS Pro Login Security only checks valid user accounts.
Example:
Entering a valid/existing user account will be checked for the correct password for that user account. Checking a blank entry or an invalid user account is not necessary and BPS does not do this since the only way someone could login to your website is if they entered a valid user account and a valid password.
If you would like for me to figure out why the code is not working on your website then create a temporary WordPress Admin login account and send it directly to edward [at] ait-pro [dot] com.
You would only use all 4 octets of your IP address IF you have purchased a static IP address from your ISP. IP addresses are automatically assigned to your computer (public IP address) by your ISP using a DHCP Server. IP addresses typically only last around 48 hours and then you will be assigned a different IP address. What will stay the same is the first 2 or 3 octects of your IP address, but the 4th octet will change repeatedly/continuously/forever.
# Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
AITpro AdminKeymasterI received the login information to your website you sent via email and I cannot login to your website because the code is already working. So this means that however you are testing the code you must be using your IP address that is allowed, which would mean you would see your Login page. In order to test the code you need to use a Proxy so that your IP address is different. You will then see a 403 Forbidden error like I see when I try to access your Login page / wp-login.php.
billParticipantYou’re absolutely right… It’s clearly working. Somehow my phone and computer are “one” in a sense. I’ll go to a nearby Kinko’s to check on my side. Thank you so very much for your time. I sincerely appreciate it.
Edit: Just returned back from Kinko’s and 403 forbidden came up for ea. site’s wp login page. Awesome. Simply awesome…. Thanks!
AITpro AdminKeymasterYep, pretty cool huh? Keep in mind that no one but you can log into your website. Also if you do NOT have a static IP address then you should change the 4 octet IP address to a 3 octect IP address, otherwise when your IP address changes you will NOT be able to log into your website unless you either edit your root .htaccess file or delete it with FTP.
On some websites we use the code to ONLY allow AITpro staff to log into those sites and on other sites we are using the other Brute Force Login protection code that does allow other public registrations and logins.
AITpro AdminKeymasterUPDATE/CORRECTION:
This Brute Force Login Protection code below is STILL VERY EFFECTIVE. What is happening is that the primary attacks from the original sources are still using Server Protocol HTTP/1.0, but now there are many victim websites that have been hacked that are also involved in the attacks. These victim sites are using Server Protocol HTTP/1.1 in automated Brute Force Login attacks. The important thing to note is that the ratio of the original source attacks vs the victim site attacks is 1,000 to 1 meaning that the vast majority of Brute Force Login attacks are still being done using Server Protocol HTTP/1.0, which means this code below is still very effective. Over time the victim site numbers will decrease as these hacked sites are either removed from the Internet or cleaned up/dehacked/fixed/restored.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST} HTTP/1\.0 RewriteRule ^(.*)$ - [F,L]
DISREGARD: After further investigation/research it has been found that the minority of Brute Force Login attacks using Server Protocol HTTP/1.1 are victim websites that have been hacked.
We are now seeing attacks using Server Protocol HTTP/1.1. I assume the Server Protocol is being faked since the Hostnames are also being faked. So the Brute Force Login protection code based on Server Protocol 1.0 is probably not that effective anymore. This is just how it goes – it is a chess game. There are over 90,000 IP Addresses being used so blocking by IP address is not an option.
billParticipantDoes this apply to both codes you provided in this thread or just this one…
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST} HTTP/1\.0 RewriteRule ^(.*)$ - [F,L]
AITpro AdminKeymasterThe code you posted is the ONLY code that contains the HTTP/1.0 Server Protocol conditional check. The other code works by ONLY allowing by IP address and does NOT contain the conditional check.
billParticipantOk, so if I’m understanding you correctly, the code that I am implementing now is the one that’s not effective anymore (due to the newer developments you noted above)… This one:
# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE # Protect wp-login.php from Brute Force Login Attacks <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from mywebsite.com # Add your website/Server IP Address Allow from 226.132.811.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 217.11.91.489 </FilesMatch>
AITpro AdminKeymasterNope, you have that backwards. The code you are using now has nothing at all to do with checking the Server Protocol and it is 100% effective now and forever.
billParticipantGot it. (smiling uncontrollably right now)
AITpro AdminKeymasterUPDATE/CORRECTION:
This Brute Force Login Protection code below is STILL VERY EFFECTIVE. What is happening is that the primary attacks from the original sources are still using Server Protocol HTTP/1.0, but now there are many victim websites that have been hacked that are also involved in the attacks. These victim sites are using Server Protocol HTTP/1.1 in automated Brute Force Login attacks. The important thing to note is that the ratio of the original source attacks vs the victim site attacks is 1,000 to 1 meaning that the vast majority of Brute Force Login attacks are still being done using Server Protocol HTTP/1.0, which means this code below is still very effective. Over time the victim site numbers will decrease as these hacked sites are either removed from the Internet or cleaned up/dehacked/fixed/restored.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST} HTTP/1\.0 RewriteRule ^(.*)$ - [F,L]
-
AuthorPosts
- You must be logged in to reply to this topic.