Topic: WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Tagged: author, Author ID, author name, Bonus Custom Code, Bot, enumeration, User ID

This topic has 36 replies, 10 voices, and was last updated 6 years, 6 months ago by AITpro Admin.

Viewing 7 posts - 31 through 37 (of 37 total)

← 1 2 3

Author

Posts
June 26, 2016 at 3:36 am #30045
Pako
Participant

The code for admin-ajax.php is not really a protection but it prevents Admin Ajax Issue:

Can you please please below “I have a 404 Error or a Too many redirects error” at this page and tell me if I’m wrong ?
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
June 26, 2016 at 3:43 am #30046
Pako
Participant

“htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.”

Yes it works for /wp-admin/ 🙂

But now for /login.php?
June 26, 2016 at 4:13 am #30048
Pako
Participant
I have write this below into Custom Code > Root htaccess File Custom Code > CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:

And yes it works, I do not know if it’s the right way, but it works fine
```
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>
```
June 26, 2016 at 4:42 am #30050
Pako
Participant

you know what? I have just bought BPS Pro 🙂 and I just wonder if I must keep the user I use here for the forum or the new one I get after buying it…
June 26, 2016 at 8:51 am #30054
AITpro Admin
Keymaster

Your forum user account is a separate user account for this separate forum site so it can be anything and does not need to be the same as the user account name on the AIT-pro.com main site.
September 25, 2016 at 3:29 am #31006
Didier Ludwig
Participant

NEW BRUTE FORCE THREAT?

It looks like hackers can find out usernames even when I have filled out the “Custom Code bottom hotlinking/…” field in the root custom code section of BPS (free), following the instructions from this post here above. And of course, “Root Folder BulletProof Mode (RBM)” is activated (BPS v .54). That setup was on my site since many months, when I received a BPS alert two days ago warning me that both useraccounts have been blocked temporarily (roles: one admin, one shopadmin). I disabled the plugin for a few instants, created two new users, reactivated the plugin, deleted the old users. Now, within 48hrs, hackers seem to have found out both new usernames, though the usual hack doesnt work, see http://origine.wine/?author=1 . BPS has now logically blocked the new user’s logins, again.

I hope BPS will find out how this could happen, soon.
September 25, 2016 at 8:07 am #31007
AITpro Admin
Keymaster

@ Didier Ludwig – This is not a new type of hack recon to find author names/usernames. See this forum topic for additional thinks you can do to protect your login page: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634
Author

Posts

Viewing 7 posts - 31 through 37 (of 37 total)

← 1 2 3

You must be logged in to reply to this topic.

BulletProof Security Forum

WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Search Forums

Topic Tags