Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 6 months ago by eveli.
-
AuthorPosts
-
billParticipant
Sorry for delay… didn’t receive the email notification when you posted… I’m using this added code:
# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE # Protect wp-login.php from Brute Force Login Attacks <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from mywebsite.com # Add your website/Server IP Address Allow from 226.132.811.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 217.11.91.489 </FilesMatch>
AITpro AdminKeymasterIs her IP Address whitelisted? Also the only time you would use all 4 octets of an IP address is when you have a static IP address that you paid for from your ISP. IP addresses are dynamically assigned by your ISP using DHCP and the last octet of your IP address will change frequently. If your IP address always starts out with 217.11.91. but the last octet changes frequently, which is typical/normal then that is why you would use 3 octets of your IP address and not 4 octets.
Example:
today your IP address assigned by your ISP is 217.11.91.489 (obviously 489 is not a real ip address because the range only goes up to 256)
tomorrow your IP address is 217.11.91.100
the next day your IP address is 217.11.91.150
What remains constant/the same/does not change is the first 3 octets of your IP address: 217.11.91.
If your ISP changes the 3rd octet regularly then you would have to use 2 octets: 217.11. and not 3 octets.
If you are allowing other people to log into your websites then you either have to add their IP addresses (3 octets not 4) or you should not use this Brute Force Login protection code and instead use the other Brute Force Login protection code that is not based on IP addresses.billParticipantThat’s the thing, I’m not permitting access to the login page for anyone (ever, actually) besides myself. This is simply a regular password protected page on one of my websites [link removed]. Please delete link after testing. Once you enter the code, the forbidden error page displays.
AITpro AdminKeymasterThe password protected Form links to your wp-login.php login page to process the “key code”. Unless you have/create a separate login page then the standard WordPress login page will be used in Forms. When you log into a website you are submitting a POST Form that contains a username/password combination or in this case a “key code” to check if a match exists in your user database table.
This is the actual source code of the page for the link with the Key Code Form on it that you posted. I also changed your domain name in the Form processing code below to example.com.
<form action="http://example.com/wp-login.php?action=postpass" method="post">
billParticipantAwesome analysis breakdown (as usual) so I can “play/follow along” too…. So, do I need to enter the code you’ve provided above some place?
AITpro AdminKeymasterSince this Form is being processed by the standard WordPress Login page – wp-login.php then your options are either you add additional IP addresses to the IP Based Brute Force Login protection code or you switch to the other non-IP based Brute Force Login protection code. Or another option which would require additional coding work and template work would be to create another login page, but this is not recommended unless you really know what you are doing. 😉
billParticipantOh, now I fully understand. I actually love the concept of the code currently in play, so I’ll just remove the code requirements per page. 🙂 Don’t want to mess nothing up LoL!
AlbertParticipantI have question regarding with this code. When I click the lost password/ forgot password in login form it direct me to the homepage. How can I override forgot password (www.example.com/wp-login.php?action=lostpassword) url using this code?
// Simple Query String Login page protection function example_simple_query_string_protection_for_login_page() { $QS = '?mySecretString=foobar'; $theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING']; // these are for testing // echo $theRequest . '<br>'; // echo site_url('/wp-login.php').$QS.'<br>'; if ( site_url('/wp-login.php').$QS == $theRequest ) { echo 'Query string matches'; } else { header( 'Location: http://' . $_SERVER['SERVER_NAME'] . '/' ); } } add_action('login_head', 'example_simple_query_string_protection_for_login_page');
AITpro AdminKeymasterIf you have BPS installed you can remove the Password Reset Link and Disable Password Reset by choosing Disable Password Reset. For a full description of all BPS Login Security features and options click on the Blue Read Me help button on the Login Security page. If you do not have BPS installed then you will find the code to remove the Password Reset link and Disable Password Reset capability in this file: /bulletproof-security/includes/login-security.php at the bottom of the file.
Vinod KumarParticipantThank you! Very useful information and nice plugin.
BrianParticipantIf I’m understanding this correctly, this code prevents attackers from finding your login page, even if you’ve renamed it?
AITpro AdminKeymasterI assume you are talking about the Simple Query String Login page protection code? If you have renamed the wp-login.php filename then in order to use this code you would have to use/change the name of the filename to whatever you have changed the filename to. But if you have renamed the wp-login.php filename then you probably do not need to use this code any way.
GregParticipantWhat’s the best way to protect my site? I have 2 membership sites and use optimizepress members and s2 member.
Thanks kindly in advance!
AITpro AdminKeymasterS2 member already handles Login processing so you would turn Off BPS or BPS Pro Login Security. I am not sure if S2 Member already comes with a CAPTCHA option so you or may not be able to use JTC Anti-Spam / Anti-Hacker if you have BPS Pro and would also turn it off.
The Brute Force Login page code that you can use that will not conflict with S2 Member or visitor logins/registration to your site would be the Server Protocol & blank user agent code. See the beginning of this Forum Topic for instructions on how to add this code to BPS Custom Code.
# BRUTE FORCE LOGIN PAGE PROTECTION # Protects the Login page from SpamBots & Proxies # that use Server Protocol HTTP/1.0 or a blank User Agent RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ - [F,L]
GregParticipantThanks for your assistance it’s appreciated.
-
AuthorPosts
- You must be logged in to reply to this topic.