Support » Plugin: WP Login Alerts by DigiP » Could you add the method (GET, POST etc..)?

Viewing 1 replies (of 1 total)
  • Plugin Author DigiP

    (@digip)

    Not sure what GEt or POST method you want added to the plug-in, or how that will resolve your issue.

    The wordpress login page itself uses a POST form of its own to login, not a GET request, or usernames and passwords, would show in the address bar of the site when you login, which is a security risk for other people using your PC. If they looked at your URL history, they would see in plain text, the GET data of the username and password you use, which is why wordpress uses a POST form in their own login page.

    All I do, is hook into the $_POST data for the user name field and email users the name tried logging in with or if the page is reached. If you are locking down the wp-login.php and /wp-admin/ directories, you really don’t need the plug-in since you’re restricting access already to just your IP. I do both, just in case, but thats me, paranoid admin(never hurts to be too cautious) but if you are getting a ton of brute forced attempts, start using firewall rules or htaccess to block those users IP’s or subnets. Especially, if its always a specific network.

    Thing about the plug-in, it will catch attempted or posted login data against any page of the site 😉 which is a nifty little feature I use on my own sites to act as a honeypot and capture logins, since my wordpress isn’t installed in the base of my site(s) usually. Example of one of my honeypots for wordpress: http://www.attack-scanner.com/brutes/brutes.log (I may one day do a write up on how to set this up, but for now, its just mine…muahahahha..sorry, mad scientist taking over)

    Only other thing I can say, is mod the plug-in, to only check for your username. If you’re username is not the one being attempted, just exit, but if it is, then send an email. That requires changing the plug-in name in the header comment area as well, so you don’t get overwritten your changes from me when I make updates, but there is no way to really tell it, “Oh, this person uses htaccess, so don’t send an email if its the admin” without heavily customizing it on a per site basic, which I would leave up to the end user. I do customize them for people on a per site basis, but I charge for this service,as where here, this is just a free plug-in to alert you.

    I had one client who the other day, got over 3000 emails, because someone used a bot to automate an attack against her site and it freaked her out, but one person had launched an attack on her site, so its a catch 22. Do you leave it on or off, is up to you.

    All I can say is turn it off, if you have your login page and /wp-admin directory locked down though, and since no one but your IP should be able to access those areas if you’ve handled it correctly, so who cares who tries to brute force the page, they won’t be able to gain access if its blocked and only you are whitelisted.

Viewing 1 replies (of 1 total)
  • The topic ‘Could you add the method (GET, POST etc..)?’ is closed to new replies.