WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Home Forums BulletProof Security Pro WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Viewing 7 posts - 31 through 37 (of 37 total)
  • Author
    Posts
  • #30045
    Pako
    Participant

    The code for admin-ajax.php is not really a protection but it prevents Admin Ajax Issue:

    Can you please please below “I have a 404 Error or a Too many redirects error” at this page and tell me if I’m wrong ?
    http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/

    #30046
    Pako
    Participant

    htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.

    Yes it works for /wp-admin/ ūüôā

    But now for /login.php?

    #30048
    Pako
    Participant

    I have write this below into Custom Code > Root htaccess File Custom Code > CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:

    And yes it works, I do not know if it’s the right way, but it works fine

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd"
    require valid-user
    </FilesMatch>
    #30050
    Pako
    Participant

    you know what? I have just bought BPS Pro ūüôā and I just wonder if I must keep the user I use here for the forum or the new one I get after buying it…

    #30054
    AITpro Admin
    Keymaster

    Your forum user account is a separate user account for this separate forum site so it can be anything and does not need to be the same as the user account name on the AIT-pro.com main site.

    #31006
    Didier Ludwig
    Participant

    NEW BRUTE FORCE THREAT?

    It looks like hackers can find out usernames even when I have filled out the “Custom Code¬†bottom hotlinking/…” field in the root custom code section of BPS (free), following the instructions from this post here above. And of¬†course, “Root Folder BulletProof Mode (RBM)” is activated (BPS v .54). That setup¬†was on my site since many months, when I received a BPS alert two days ago warning me that both useraccounts have been blocked temporarily (roles: one admin, one shopadmin). I disabled the plugin for a few instants, created two new users, ¬†reactivated the plugin, deleted the old users. Now, within 48hrs, hackers seem to have found out both new usernames, though the usual hack doesnt work, see¬†http://origine.wine/?author=1¬†. BPS has now logically blocked the new user’s logins,¬†again.

    I hope BPS will find out how this could happen, soon.

    #31007
    AITpro Admin
    Keymaster

    @ Didier Ludwig РThis is not a new type of hack recon to find author names/usernames.  See this forum topic for additional thinks you can do to protect your login page:  http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

Viewing 7 posts - 31 through 37 (of 37 total)
  • You must be logged in to reply to this topic.