Protecting Login Page from Brute Force Login Attacks

  • Resolved aniksz

    (@aniksz)


    10 years, 8 months ago

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks

    I have a site with 4 admin to log in… our ISP changes our IP address consantly… so for us which is the best option to secure login.php ??

    Protect wp-login.php from Brute Force Login Attacks based on Server Protocol

    is server protocol option fits for us ???

    can I also include this code to secure login in theme’s functions.php file ???

    // Simple Query String Login page protection
    function example_simple_query_string_protection_for_login_page() {
    $QS = ‘?mySecretString=foobar’;
    $theRequest = ‘http://’ . $_SERVER[‘SERVER_NAME’] . ‘/’ . ‘wp-login.php’ . ‘?’. $_SERVER[‘QUERY_STRING’];

    // these are for testing
    // echo $theRequest . ”;
    // echo site_url(‘/wp-login.php’).$QS.”;

    if ( site_url(‘/wp-login.php’).$QS == $theRequest ) {
    echo ‘Query string matches’;
    } else {
    header( ‘Location: http://’ . $_SERVER[‘SERVER_NAME’] . ‘/’ );
    }
    }
    add_action(‘login_head’, ‘example_simple_query_string_protection_for_login_page’);

    thanks anik

    http://wordpress.org/plugins/bulletproof-security/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author AITpro

    (@aitpro)

    10 years, 8 months ago

    If this site only allows 4 admins to login and does not allow any other visitors to register and post comments on the site then using the Simple Query String Login page protection code is the best solution for this site.

    @mods – the post above needs to be delinked. The entire post is wrapped in an “a” tag. Thanks.

    Thread Starter aniksz

    (@aniksz)

    10 years, 8 months ago

    ya… our site only allows 4 admins to login and does not allow any other visitors to register but we do have allow comment from reader using disqus comment system in our site… does Simple Query String Login page protection code is still our best solution ???

    Plugin Author AITpro

    (@aitpro)

    10 years, 8 months ago

    I think so since Disqus only uses the WP Comment template & system and does not do anything related to WP login.

    Thread Starter aniksz

    (@aniksz)

    10 years, 8 months ago

    ok… let me try it. thank you again 🙂

    Thread Starter aniksz

    (@aniksz)

    10 years, 8 months ago

    sorry to bother u again… having some issue related this

    I’ve added

    // Simple Query String Login page protection
    function example_simple_query_string_protection_for_login_page() {
    $QS = ‘?mySecretString=foobar’;
    $theRequest = ‘http://’ . $_SERVER[‘SERVER_NAME’] . ‘/’ . ‘wp-login.php’ . ‘?’. $_SERVER[‘QUERY_STRING’];

    // these are for testing
    // echo $theRequest . ‘
    ‘;
    // echo site_url(‘/wp-login.php’).$QS.’
    ‘;

    if ( site_url(‘/wp-login.php’).$QS == $theRequest ) {
    echo ‘Query string matches’;
    } else {
    header( ‘Location: http://’ . $_SERVER[‘SERVER_NAME’] . ‘/’ );
    }
    }
    add_action(‘login_head’, ‘example_simple_query_string_protection_for_login_page’);

    to my themes function.php file and replace mySecretString=foobar with my own secret key. I’m also able to login through it… but it seems
    that log in is still possible through wp-login.php

    do I need to change or add anything else ???

    Plugin Author AITpro

    (@aitpro)

    10 years, 8 months ago

    This code will only allow you to access the wp-login.php page and login if you enter your Query String. If you have another plugin that is doing something with the login page and specifically with login_head then it could override this function and negate it.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Protecting Login Page from Brute Force Login Attacks’ is closed to new replies.