Home › Forums › BulletProof Security Pro › WordPress Author Enumeration Bot Probe Protection – Author ID, User ID
Tagged: author, Author ID, author name, Bonus Custom Code, Bot, enumeration, User ID
- This topic has 36 replies, 10 voices, and was last updated 8 years, 2 months ago by AITpro Admin.
-
AuthorPosts
-
PakoParticipant
The code for admin-ajax.php is not really a protection but it prevents Admin Ajax Issue:
Can you please please below “I have a 404 Error or a Too many redirects error” at this page and tell me if I’m wrong ?
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/PakoParticipant“htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.”
Yes it works for /wp-admin/ 🙂
But now for /login.php?
PakoParticipantI have write this below into Custom Code > Root htaccess File Custom Code > CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:
And yes it works, I do not know if it’s the right way, but it works fine
<FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
PakoParticipantyou know what? I have just bought BPS Pro 🙂 and I just wonder if I must keep the user I use here for the forum or the new one I get after buying it…
AITpro AdminKeymasterYour forum user account is a separate user account for this separate forum site so it can be anything and does not need to be the same as the user account name on the AIT-pro.com main site.
Didier LudwigParticipantNEW BRUTE FORCE THREAT?
It looks like hackers can find out usernames even when I have filled out the “Custom Code bottom hotlinking/…” field in the root custom code section of BPS (free), following the instructions from this post here above. And of course, “Root Folder BulletProof Mode (RBM)” is activated (BPS v .54). That setup was on my site since many months, when I received a BPS alert two days ago warning me that both useraccounts have been blocked temporarily (roles: one admin, one shopadmin). I disabled the plugin for a few instants, created two new users, reactivated the plugin, deleted the old users. Now, within 48hrs, hackers seem to have found out both new usernames, though the usual hack doesnt work, see
http://origine.wine/?author=1
. BPS has now logically blocked the new user’s logins, again.I hope BPS will find out how this could happen, soon.
AITpro AdminKeymaster@ Didier Ludwig – This is not a new type of hack recon to find author names/usernames. See this forum topic for additional thinks you can do to protect your login page: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634
-
AuthorPosts
- You must be logged in to reply to this topic.