Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 11 months ago by eveli.
-
AuthorPosts
-
AITpro AdminKeymaster
@ Saqueeb – Is your login page: /wp-login.php or something else like a custom login page like: /my-login? If your Login page is the standard/default WordPress login page: /wp-login.php then the only other logical explanation would be that you have not done all of the Custom Code steps. When you check the: htaccess File Editor tab page > click the Your Current Root htaccess File tab > scroll down and look to see if your Brute Force Login page protection code is actually in your Root htaccess file.
Saqueeb RajanParticipantHi there, yes checked the Root htaccess File and the code is there and yes my login page is wp-login.php
AITpro AdminKeymasterHmm ok then I am not sure what could be causing the issue and will need to login to this site to see what could be happening. I checked your site’s login page: wxxx.ca and the Brute Force Login protection code did not block me so something is not correct. Send a WordPress Administrator login to your site to: info at ait-pro dot com.
Saqueeb RajanParticipantHello, I have sent the email with credentials
ThanksAITpro AdminKeymasterOk I found out why the Brute Force Login protection .htaccess code is not working on your particular server/website. Your server is a Windows IIS 8.0 server, which uses a Rewrite Module that translates Apache Linux htaccess code into rules that a Windows IIS server can interpret/apply/use. So your particular server is ignoring the Brute Force Login protection .htaccess code instead of translating it into usable rules for/on your particular server. So unfortunately, you cannot use the Brute Force Login protection .htaccess code on your particular server.
Server Type: Microsoft-IIS/8.0
Operating System: WINNTAITpro AdminKeymaster[Topic has been manually moved to this relevant Topic]
WordPress 4.4.2 running Delicate theme.
legalcafe.com (our WP blog) is a subdomain pointing to a folder on our main site legalgrind.com. Our host is powweb.com. We have activated the BPS Brute Force Login plugin on WP and are getting many daily alerts. The most common solution appears to allow only a certain IP address to access the wp-admin.My problem is that I am not a programmer (I only know html and css) and need things simplified more please. (You address this procedure in several posts on this forum.) First this is the code you recommend adding.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50.
My questions are:
What IP do I use, my own personal computer’s IP or the host’s IP?
What file (root htaccess or the subdomain’s wp-admin folder htaccess?) does this go on and where on the file (at the very top?), if it matters? I don’t need this protection on the root.
What should be stripped from above code? For example do I just remove the comments?Thanks
AITpro AdminKeymaster@ legalcafe – I checked your website and you are allowing anyone to Register, Login and Post Comments on your website. So you do not want to use the Protect wp-login.php from Brute Force Login Attacks based on IP Address code you posted above on your website. Please see the very beginning of this forum topic for more help information. Regarding being alerted about attacks on your site, you can expect your website to be attacked by hackers and spammers all day, every day. That is completely normal these days on the Internet. The BPS Security Log logs blocked hacking and spamming attempts, which means you do not need to do anything else since BPS is simply logging things the same exact way your server logs things.
legalcafeParticipantIs it also normal to be locked out from admin? This is happening all day long for 1 hour at a time. I solved my logout problem by adding a new user name and password so I can still get in but I don’t want to add new posts from that new user. Then it too would be public and subject to the same lockouts I would assume.
Thanks for your help.
AITpro AdminKeymasterSee this forum topic for additional things you can do to prevent your publicly exposed user accounts on your website from being locked repeatedly: http://forum.ait-pro.com/forums/topic/user-account-locked/
legalcafeParticipantThe BPS Pro version will take care of all of these problems, is that correct?
AITpro AdminKeymasterYes, correct. The BPS Pro JTC Anti-Spam|Anti-Hacker security feature blocks 100% of all automated Brute Force Login attacks/attempts. 99.99% of all Brute Force Login attacks/attempts are automated with Bots – spambots and hackerbots. In plain english, you do not need to do any additional things about publicly exposed user account names on your website and user accounts will no longer be repeatedly locked if JTC is enabled.
legalcafeParticipantDo you offer an install service for the Pro version? If so, where can I find the install charges. If not, do you know where I might find someone skilled to do it for us? We have a WP blog which is a subdomain pointing to a folder on our main site and hosted by powweb.
Thank you for your help.
AITpro AdminKeymasterBPS Pro setup is automated with the Setup Wizards: http://forum.ait-pro.com/video-tutorials/#setup-wizard and most folks do not run into any “extra” complications or setup steps, but if for some reason you do run into a problem after running the Wizards or you need additional help then we can either help you in the forum or log into the site and fix/setup/do any additional things that need to be done.
JasonParticipantSo what if I get a 403 error on login page when trying to login or log out with my server, is there another way to protect the site from brute force attacks with BPSpro or will I need to use a different plugin?
Another thing… I was using two different users on two different computers, but both with the same IP and one user could login fine, but the second user would get the 403.
And, I was using the any user can login code
# BRUTE FORCE LOGIN PAGE PROTECTION # Protects the Login page from SpamBots, HackerBots & Proxies # that use Server Protocol HTTP/1.0 or a blank User Agent RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ RewriteRule ^(.*)$ - [F,L]
Thanks.
AITpro AdminKeymaster@ Jason – BPS Pro has Login Security & Monitoring and JTC Anti-Spam|Anti-Hacker that protect the Login page against Brute Force Login attacks and other types of attacks. So this Bonus Custom Code is something BPS free plugin users can use or just some extra code that someone may want to use. It is not essential or critical Bonus Custom Code. If the second user was blocked then since this code blocks the older HTTP/1.0 Server Protocol then I would assume the second user was using something like a Proxy or VPN software that uses that old outdated Server Protocol.
-
AuthorPosts
- You must be logged in to reply to this topic.