Home › Forums › BulletProof Security Pro › WordPress Author Enumeration Bot Probe Protection – Author ID, User ID
Tagged: author, Author ID, author name, Bonus Custom Code, Bot, enumeration, User ID
- This topic has 36 replies, 10 voices, and was last updated 8 years, 2 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
What type of Network|Multisite is your site? Subdomain standard, Subdirectory standard, Subdomain GWIOD or Subdirectory GWIOD?
PakoParticipantHi
Mapped domains i.e.:www.primary-site.com www.chield-side.com
AITpro AdminKeymasterOk let’s try this instead – what do you see when you add this Query String on the end of an URL|URI: Example:
http://forum.ait-pro.com/?author=1
PakoParticipantI see the author page archive like http://www.primary-site.com/blog/author/my-username/
AITpro AdminKeymasterOh ok yeah we are looking into the change the WP recently made with internal Rewriting. It appears that WP has made major changes to internal Rewriting that negate this particular htaccess Author Enumeration Bot Probe Protection on Network sites. We assume this was done intentionally by WP, but maybe this is just a new problem that needs a new solution. 😉 We will fiddle around with this in the next couple of days and post our findings here after fiddling.
PakoParticipantThanks a lot 🙂
So I’ll wait before switching from Wordfence because as multisite username can be found: it’s also possible to anyone who has this username to lockout this account if BPS Login Security & Monitoring is activated 🙁
Question: BPS do not have the same option as Wordfence like blocking people who are trying to log in with as username that I defined as forbiden?
Thanks
AITpro AdminKeymasterWell I don’t want to negate Wordfence, but Wordfence is for amateurs and BPS Pro is…to say it plainly, for folks who want real website security protection. 😉 We think Wordfence is ok, but we have created something that is “bulletproof”/far superior. 😉 Overall, whether or not a Bot got your author name would not matter if you have BPS Pro since JTC Anti-Spam|Anti-Hacker would stop the hacker or spammer.
A perfect example is this forum site. We don’t bother with trying to block or hide or do anything at all with author/usernames because we are using BPS Pro JTC Anti-Spam|Anti-Hacker so there is no need to use the Author Enumeration Bot Probe Protection on this site at all. The Author Enumeration Bot Probe Protection Bonus Custom Code was created for BPS free plugin users. 😉
PakoParticipant(lol) you have me almost convinced to buy the pro version 😉 but I need other answers before like how to manage wp rocket htaccerss stuff nicely: http://forum.ait-pro.com/forums/topic/wp-rocket-plugin-htaccess-code-where-to-put-it/#post-30024
Thanks again
AITpro AdminKeymasterOk I’ll take a look at your other post and post an answer. We don’t do a hard sell with BPS Pro, but this is a pretty impressive fact – “BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 20,000 websites worldwide. Not a single one of those 20,000+ websites in 5+ years has been hacked.”
PakoParticipant(is Block Bad Queries (BBQ) plugin usefull if I buy BPS Pro?)
AITpro AdminKeymasterHonestly, nope BBQ is not going to add any additional security protection that BPS and BPS Pro do not already do/have.
PakoParticipantgreat 🙂
And last questio (I promis) I’m trying to find where I must write the rules I had before BPS install like .htaccess autentification, you know all atht stuff:
ErrorDocument 401 "Denied" ErrorDocument 403 "Denied" <FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
This was to protect login.php but I had the same in /wp-admin .
All those rules was wrote by my Cpanel.AITpro AdminKeymasterYour BasicAuth htaccess code goes in this BPS wp-admin Custom Code text box: CUSTOM CODE WPADMIN TOP:
wp-admin password protection & miscellaneous custom code hereYou don’t need to add the ErrorDocument htaccess code because BPS already has/uses that code.
PakoParticipantOupss I can’t find the text box you said… 🙁
But to be more precise I was protecting 2 things:
root login.php with rules in my root .htaccess file and /wp-admin/ with rules in my /wp-admin/ .htaccess file
This one was a little bit different :# Allow plugin access to admin-ajax.php around password protection <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd" require valid-user
AITpro AdminKeymasterBPS already protects the admin-ajax.php file by default so you don’t need that code either.
htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.
-
AuthorPosts
- You must be logged in to reply to this topic.