WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Home Forums BulletProof Security Pro WordPress Author Enumeration Bot Probe Protection – Author ID, User ID

Tagged: , , , , , ,

Viewing 7 posts - 31 through 37 (of 37 total)
1 2 3
  • Author
    Posts
  • June 26, 2016 at 3:36 am #30045
    Pako
    Participant

    The code for admin-ajax.php is not really a protection but it prevents Admin Ajax Issue:

    Can you please please below “I have a 404 Error or a Too many redirects error” at this page and tell me if I’m wrong ?
    http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/

    June 26, 2016 at 3:43 am #30046
    Pako
    Participant

    htaccess Core > Custom Code > CUSTOM CODE WPADMIN TOP > add your BasicAuth htaccess code > click the Save wp-admin Custom Code button > go to the security modes page > Activate wp-admin BulletProof Mode.

    Yes it works for /wp-admin/ 🙂

    But now for /login.php?

    June 26, 2016 at 4:13 am #30048
    Pako
    Participant

    I have write this below into Custom Code > Root htaccess File Custom Code > CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES:

    And yes it works, I do not know if it’s the right way, but it works fine

    <FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/blabla/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>
    June 26, 2016 at 4:42 am #30050
    Pako
    Participant

    you know what? I have just bought BPS Pro 🙂 and I just wonder if I must keep the user I use here for the forum or the new one I get after buying it…

    June 26, 2016 at 8:51 am #30054
    AITpro Admin
    Keymaster

    Your forum user account is a separate user account for this separate forum site so it can be anything and does not need to be the same as the user account name on the AIT-pro.com main site.

    September 25, 2016 at 3:29 am #31006
    Didier Ludwig
    Participant

    NEW BRUTE FORCE THREAT?

    It looks like hackers can find out usernames even when I have filled out the “Custom Code bottom hotlinking/…” field in the root custom code section of BPS (free), following the instructions from this post here above. And of course, “Root Folder BulletProof Mode (RBM)” is activated (BPS v .54). That setup was on my site since many months, when I received a BPS alert two days ago warning me that both useraccounts have been blocked temporarily (roles: one admin, one shopadmin). I disabled the plugin for a few instants, created two new users,  reactivated the plugin, deleted the old users. Now, within 48hrs, hackers seem to have found out both new usernames, though the usual hack doesnt work, see http://origine.wine/?author=1 . BPS has now logically blocked the new user’s logins, again.

    I hope BPS will find out how this could happen, soon.

    September 25, 2016 at 8:07 am #31007
    AITpro Admin
    Keymaster

    @ Didier Ludwig – This is not a new type of hack recon to find author names/usernames.  See this forum topic for additional thinks you can do to protect your login page:  http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

  • Author
    Posts
Viewing 7 posts - 31 through 37 (of 37 total)
1 2 3
  • You must be logged in to reply to this topic.