WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BPS refreshes login with no known reason. (5 posts)

  1. houseofstrauss
    Member
    Posted 9 months ago #

    This one stumped me for a day. On a site that has been using BPS for some time without problems, suddenly one day the WP login screen does nothing except refresh the form on each login attempt.

    No messages, no prompts, no errors, nothing just constant refresh with no action. It was impossible to login and reach admin. At first I thought the site had been hammered by bot logins and my server admin had disabled the login function. Eventually by long process of elimination, I added my own IP to line-181 of wp-admin/.htaccess and finally the login form functioned properly.

    This was a very time costly and annoying issue. Made worse by not knowing where to start looking for the problem, and not being able to access admin.

    Is this intentional? and without any notification of what had happened?

    http://wordpress.org/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 9 months ago #

    The problem you are describing is not something anyone else has ever reported with BPS so logically this is either due to have conflicting login plugins or using personal custom .htaccess code. It looks like this issue/problem may be both things...

    I checked your comment posting history and it looks like you are using several different plugins that do something with Logins. Use caution when using several plugins that do the same, similar or exact things. If plugin features are calling the same WordPress hooks - actions and filters there is a very good chance that they will conflict with each other, 1 overrides the other or worse they cancel each other out. Being able to use several login plugins/features together is going to depend on whether the plugins are calling the same hooks. You can do trial and error or look at the code of the plugins to check this.

    I added my own IP to line-181 of wp-admin/.htaccess and finally the login form functioned properly.

    I assume from your statement above that you have created your own personal custom .htaccess code in the wp-admin .htaccess file since by default BPS does not have IP based code in the wp-admin .htaccess file.

  3. houseofstrauss
    Member
    Posted 9 months ago #

    Thanks for the reply, I simply scanned all the htacces code and found this section (I've added nothing except the last line with my ip)

    # manually adding an IP address may be an option you want to use temporarily.
    # EXAMPLE:
    #AuthUserFile /dev/null
    #AuthGroupFile /dev/null
    #AuthName “Password Protected Area”
    #AuthType Basic
    #order deny,allow
    #deny from all
    # whitelist home IP address
    #allow from 64.233.169.99
    # whitelist work IP address
    #allow from 69.147.114.210
    #allow from 199.239.136.200
    # IP while in Kentucky; delete when back
    allow from (added my ip here)
    # END OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES
    # REQUEST METHODS FILTERED
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]

    In fact the problem returned later, so more digging around revealed that cloudflare was conflicting also. I've now paused the service and have again got admin access. What's odd is that this problem has just happened out of the blue. I run my sites very much in 'if it isn't broke, don't fix' approach. I don't fiddle and tweak for fun. Yes, I run several sites, not all forum posts are for one site...

    Anyway, thanks for your reply. I hope you realised I was NOT pointing the finger at BPS, just reaching out to find a solution .

  4. AITpro
    Member
    Plugin Author

    Posted 9 months ago #

    Yep, sure I did not take it that way at all. When posting in the WordPress Forum we post knowing that the post will probably be viewed by 100's or 1,000's of other people so we explain as much as possible to avoid possible confusion in the future.

    CloudFlare uses a custom Header field that is equal to X-Forwarded-For. To do IP based filtering/blocking take a look at this code to get the general idea of how to whitelist CloudFlare as well as other IP addresses. We added some new checking fields for CloudFlare on the System Info page to get the CloudFlare X-Forwarded-For IP address/addresses.

    Scroll down to the CloudFlare help section

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

  5. houseofstrauss
    Member
    Posted 9 months ago #

    Ahhh ... that maybe explains it. I'll dig deeper. Thanks for the helpful feedback

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.