Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 5 years, 11 months ago by
eveli.
-
AuthorPosts
-
AITpro Admin
KeymasterRegarding the rest of your question: Did you add the custom code in the correct Custom Code text box? The only logical reason for why you would be seeing a wp-admin htaccess file error message would be that you entered your custom code in the wrong text box.
convertmedia
ParticipantMy IP address doesn’t change though. It’s: 100.38.132.242
So, for the octets, would mine start at 100, as opposed to 65 in your example?
100.36, 100.38.132, 100.38.132.242?KeymasterYep you got it right and yep my coffee does not appear to have any cafeine or a cafeine malfunction is occurring. You can actually use the bottom BPS Custom Code text box for that code, but for logical reasons it is better to stick the code in the Brute Force Login page Protection text box – simply just makes more sense. 😉
1. Add whichever Brute Force Login Protection Code you want to use in this BPS Root Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION:
2. Click the Save Root Custom Code button
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.ParticipantThanks so much! I did all that. How can I check if it works? Also do you mind just viewing the below and seeing if it looks right. I bolded my edits.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from screenplae.com # Add your website/Server IP Address Allow from 100.38.132.242. # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 100.36. 3 octets: 100.38.132. 4 octets: 100.38.132.242 Allow from 100. </FilesMatch>
KeymasterLooks good, but just condense the code down to this example below:
If you want to check things remotely via a Proxy then this is a great Proxy site to do that: http://www.boomproxy.com Note: Uncheck these 2 checkboxes: Remove Scripts and Remove Objects.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 100.36. 3 octets: 100.38.132. 4 octets: 100.38.132.242 Allow from 100. </FilesMatch>
ParticipantThanks, but I received this error now at the very top of htaccess Core in the plugin:
BPS Alert! An htaccess file was NOT found in your WordPress wp-admin folder
If you have deleted the wp-admin htaccess file for troubleshooting purposes you can disregard this Alert.
After you are done troubleshooting Click Here to go to the BPS Setup Wizard page and click the Setup Wizard button to setup the BPS plugin again.
Important Note: If you deleted the wp-admin htaccess file due to bad/invalid Custom Code causing a problem then Click Here to go to the BPS Custom Code page, delete the bad/invalid wp-admin Custom Code and click the Save wp-admin Custom Code button before running the Setup Wizard again. Have you seen this before? I didn’t delete the wp-admin htaccess file to the best of my knowledge. Maybe there wasn’t one to begin with?
Thanks,
JordanKeymasterRun the Setup Wizard and let me know if everything is working on your server or not.
ParticipantEverything appears to be working. Everything is green. Not sure what the issue is then!
KeymasterGuess that means everything is working then? 😉
ParticipantHi,
Thanks so much for the help. I thought it was working but I still get attempted logins. On the dashboard it shows this image: http://puu.sh/iXBvp/94ff6a3c47.png. It appears the code isn’t even being recognized? Further assistance is highly appreciated.
Best,
JordanKeymasterWhen you say attempted logins I assume you mean blocked/forbidden login attempts or do you mean something else? If something is being blocked/forbidden then it is already being handled/taken care of and you do not need to do anything else.
The Bonus Custom code links are heads up static dismiss notices. A check is not being done for anything. So you either choose to add the Bonus Custom code or not and then you click the dismiss notice link to make the static notice go away. Technically what is occurring is a meta user value is saved to your DB when you click the dismiss notice link.
KeymasterWhen you say attempted logins I assume you mean blocked/forbidden login attempts or do you mean something else? If something is being blocked/forbidden that it is already being handled and you do not need to do anything else.
ParticipantHi,
I’m referring to blocked/forbidden login attempts. Does that help to clarify?
KeymasterOk great! So it sounds like BPS is blocking hacking attempts and the Security Log entries are just logging those blocked hacking attempts. So everything is working as it should be working – business as usual. Your Apache server log and the BPS Security Log are the same basic thing – a log of events.
ParticipantOk but I wanted to make it so these users would be unable to even attempt to log in. I’m back where I started now — there have never been successful forbidden login attempts, so nothing has changed. Isn’t this supposed to not allow the users to even get to the login page?
Thanks,
Jordan -
AuthorPosts
- You must be logged in to reply to this topic.