Tweak for no direct access to login form custom code?

Home Forums BulletProof Security Free Tweak for no direct access to login form custom code?

This topic contains 2 replies, has 2 voices, and was last updated by  WayneM 8 months, 3 weeks ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #34393

    WayneM
    Participant
    # BRUTE FORCE LOGIN PAGE PROTECTION - AGAINST BOTS
    # NO DIRECT URL ACCESS TO LOGIN
    # REQUEST MUST COME FROM POST FORM ON WEBSITE
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    

    I’ve been using the above custom code (in addition to the the basic brute force custom code) to help limit bad login attempts. This code came from an example you provided on this forum some years ago. The code works fine. However, I’ve been switching over my websites to run on SSL with “https” URLS. I’ve found that the HTTP_REFERER part of the above code needs to be modified to reflect the change from http to https to avoid getting BPS 403 errors on any login attempt. It’s easy enough for me to simply ad an “s” to the http, and it works fine.

    Here’s my questions:
    1. Can, or should, this custom code be tweaked so that it would work with either http or https referrers?

    2. Is this code overkill? Does the basic brute force custom code work well enough that this additional code is not needed?

    Thanks again for BPS. 🙂

    #34397

    AITpro Admin
    Keymaster

    The choice to use that additional custom code is up to you.  We only use standard BPS Login Security and JTC for Login page protection.  Here is some updated code below. I don’t think you need to include the “?” in your code.

    # BRUTE FORCE LOGIN PAGE PROTECTION - AGAINST BOTS
    # NO DIRECT URL ACCESS TO LOGIN
    # REQUEST MUST COME FROM POST FORM ON WEBSITE
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^(http|https)://(.*)mywebsite\.com [NC]
    RewriteCond %{REQUEST_URI} ^(.*)(wp-login\.php|wp-admin)(.*)$ [NC]
    RewriteRule ^(.*)$ - [F]
    #34403

    WayneM
    Participant

    Okay, got it. Thanks 🙂

    No doubt you are right that as long as I’m using the JTC login feature, this code might just be superfluous.

    Not only that, I have found that if I use that code in conjunction with a plugin like “WPS Hide Login”, I still need to tweak that code to account for the new hidden login URL.

    So, it’s probably time for me to do away with that bit of custom code on my sites.

    Thanks once again for your awesome support and plugin!

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.