Home › Forums › BulletProof Security Pro › WordPress Author Enumeration Bot Probe Protection – Author ID, User ID
Tagged: author, Author ID, author name, Bonus Custom Code, Bot, enumeration, User ID
- This topic has 36 replies, 10 voices, and was last updated 7 years ago by
AITpro Admin.
-
AuthorPosts
-
Pako
ParticipantThe code for admin-ajax.php is not really a protection but it prevents Admin Ajax Issue:
Can you please please below “I have a 404 Error or a Too many redirects error” at this page and tell me if I’m wrong ?
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/Pako
Participant“htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.”
Yes it works for /wp-admin/ 🙂
But now for /login.php?
Pako
ParticipantI have write this below into Custom Code > Root htaccess File Custom Code > CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:
And yes it works, I do not know if it’s the right way, but it works fine
<FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd" require valid-user </FilesMatch>
Pako
Participantyou know what? I have just bought BPS Pro 🙂 and I just wonder if I must keep the user I use here for the forum or the new one I get after buying it…
AITpro Admin
KeymasterYour forum user account is a separate user account for this separate forum site so it can be anything and does not need to be the same as the user account name on the AIT-pro.com main site.
Didier Ludwig
ParticipantNEW BRUTE FORCE THREAT?
It looks like hackers can find out usernames even when I have filled out the “Custom Code bottom hotlinking/…” field in the root custom code section of BPS (free), following the instructions from this post here above. And of course, “Root Folder BulletProof Mode (RBM)” is activated (BPS v .54). That setup was on my site since many months, when I received a BPS alert two days ago warning me that both useraccounts have been blocked temporarily (roles: one admin, one shopadmin). I disabled the plugin for a few instants, created two new users, reactivated the plugin, deleted the old users. Now, within 48hrs, hackers seem to have found out both new usernames, though the usual hack doesnt work, see
http://origine.wine/?author=1
. BPS has now logically blocked the new user’s logins, again.I hope BPS will find out how this could happen, soon.
AITpro Admin
Keymaster@ Didier Ludwig – This is not a new type of hack recon to find author names/usernames. See this forum topic for additional thinks you can do to protect your login page: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634
-
AuthorPosts
- You must be logged in to reply to this topic.