Has Brute Force Login Protection been incorporated?

  • Resolved icing

    (@icing)


    10 years, 2 months ago

    I see a Bonus Custom Code: Brute Force Login Protection on installing the plugin. Before I add this to my custom code, I checked the htaccess file and it already contains this code.

    # BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

    So, does it mean I no longer need to paste a code for this into custom code? Then, you may remove this notice from the next versions.

    Thanks

    http://wordpress.org/plugins/bulletproof-security/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author AITpro

    (@aitpro)

    10 years, 2 months ago

    http://wordpress.org/plugins/bulletproof-security/changelog/

    What happened was in .49.3/.49.4 we tried to add this Brute Force Login page protection code as standard BPS code. About 5% of folks cannot use this code and it was causing problems for them so we reverted back to this code being Bonus Code in .49.5. What you want to do just to keep everything simple and organized is to copy this Brute Force Login Page protection code to the Brute Force Login Protection Custom Code text box, click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File button and activate Root folder BulletProof Mode again.

    .49.5
    Reverting: Brute Force Login Protection code is now optional/Bonus Code again
    BPS will not automatically add this code as standard code in the root .htaccess file
    The Brute Force Login Protection Custom Code text box will remain for folks who can use this code on their websites.

    Plugin Author AITpro

    (@aitpro)

    10 years, 2 months ago

    Resolving thread.

    Thread Starter icing

    (@icing)

    10 years, 2 months ago

    This was found in .htaccess file(presumably added by an earlier version of BPS)

    RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]

    This is offered on the custom code page on the right side.

    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

    What is the difference between the two? Which one should be used? Can you give me a link to a webpage that explains these things and I will read it myself.

    Thanks

    Plugin Author AITpro

    (@aitpro)

    10 years, 2 months ago

    Use this code: RewriteCond %{HTTP_USER_AGENT} ^$ [OR] – If the user agent is blank indicates either a spambot or a hackerbot. The other/older rule checks for an additional dash/hypen condition in a user agent, but it is problematic so do not use it.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Has Brute Force Login Protection been incorporated?’ is closed to new replies.