Hi mbnocx, have a read through this tutorial, which also provides more information.
Kind regards
Hi mbnocx,
Just found your post as I have upgraded to latest AIO WP Security (Version v3.4) and noticed this new feature “rename Log in page’.
First thing I wondered is this complimentary to the original “Brute Force cookie, secret login” that I was using from the earlier versions? So if I already have Cookie based, do I also set this?
When logged into ‘Brute Force – rename login page’ a small text section at the page top says:
“You may also be interested in the following alternative brute force prevention features:
Cookie Based Brute Force Prevention
Login Page White List”
Hence I’d think they are mutually exclusive, so have you activated both?
NOTE: I previously had activated the “Cookie based Brute Force” and provided my secret URL – BUT today just found it fails a simple access test:
http://www.mysite.com/wp-admin/ Bingo straight to the Log-In.
(SEE post here 1 year ago by ‘swordpres’
Today I tried an alternate Plug-in ‘Re-name wp-login.php‘ and it does not fail the http://www.mysite.com/wp-admin test – result is NO ACCESS.
Hope this info is helpful to all. Cheers
NOTE: I previously had activated the “Cookie based Brute Force” and provided my secret URL – BUT today just found it fails a simple access test:
http://www.mysite.com/wp-admin/ Bingo straight to the Log-In.
This is not true.
The “Cookie based Brute Force” feature is letting you in because your browser already has the special cookie needed to access the login page. I bet if you tried deleting your cookies or from a totally different browser where you have never logged into the site the feature will not allow you to gain access to the login page via the “wp-admin” url.
So in summary, the brute force feature will always block access to your login page if you do not have the special cookie irrespective of whether you try to go directly to wp-login.php OR wp-admin.
@mbnocx,
If you also have the “cookie based brute force” active, can you please deactivate it and try the same tests again?
Thanks WP-Solutions for the quick answer re the All in One WP Security “
Cookie Based Brute Force
“
Sure enough I deleted all cookies and BINGO security works fine, I could not gain access via http://www.mysite.com/wp-admin –
my apology.
SO to confirm with your new update, only 1 of the features should be activated?
For interest sake, is the Cookie based URL change better than the simple rename URL? I tried both and they are so similar I’m just not sure of the major difference?
Regards
@appleisle,
SO to confirm with your new update, only 1 of the features should be activated?
Yes I think at this stage having only one of either the “Cookie Based Brute Force” OR “Rename Login Page” features active might be the best thing to do. (even though theoretically both features can run side by side, on certain sites people appear to be getting unexpected behaviour when both of these are active simultaneously)
is the Cookie based URL change better than the simple rename URL? I tried both and they are so similar I’m just not sure of the major difference?
Both of these features are very good at protecting against brute force attacks. They do however differ fundamentally in the way they work:
– the Cookie Based Brute Force feature stops unauthorized people at the .htaccess level and also does some cookie checks before allowing someone to access the login page
– the Rename Login Page feature works purely at the PHP level.
We added the second feature as an alternative brute force prevention technique for those people whose sites might not be compatible with the first one.
Thread Starter
mbnocx
(@mbnocx)
Thanks for all the responses everyone. I checked the settings I have enabled and under Brute Force the only option selected is the Rename Login Page. I did at one time try the cookie based brute force option but I have since unselected that (prior to selecting the rename login page option).
@mbrsolution, I did check that tutorial which was helpful for understanding a few things I did not know. Thanks! But, even deleting all cookies, cache, and temp files on each computer I am at the same spot.
If I turn off the rename login page option I can then get to the wp-login page from any computer I am using and login. With it enabled I still can get to that page but then I get the “403 Forbidden” message on anything other than my home PC.
Thread Starter
mbnocx
(@mbnocx)
Today I tried an alternate Plug-in ‘Re-name wp-login.php’ and it does not fail the http://www.mysite.com/wp-admin test – result is NO ACCESS.
This is the other plugin I tried a couple of months ago that also did not work for me. I stopped using it when I could not get it to work.
@wpsolutions
Have just suffered identical issue as ‘mbnocx’last night:(my friends website where he now cannot gain access even though I provide the rename Login page URL.)
I did at one time try the cookie based brute force option but I have since unselected that (prior to selecting the rename login page option). This was working OK for me, I turned it off and went to the newer “Rename Login Page” then exactly same issue;
If I turn off the rename login page option I can then get to the wp-login page from any computer I am using and login. With it enabled I still can get to that page but then I get the “403 Forbidden” message on anything other than my home PC.
My Page ERROR when trying to log in to my special rename Login Page Setting on a different computer: “Please log in to access the WordPress admin area“
As per mcnocx – turn it off again and I can login perfectly on another computer.
Could it be the ‘cookie’ issue is somehow activating?
@wpsolutions
I’d suggest the issue is definitely associated with having turned on the Cookie based option originally – then turning it off. Maybe .htaccess related???? I’m no programmer but this seems most likely.
MY FINDINGS: I just tried an alternate site I have and only activated the “rename Login Page” & set up my secret URL as a Google Chrome bookmark. Worked fine I was allowed to access this site from any of 3 different computers.
Hope this helps pinpoint the issue. Cheers Dennis
Thread Starter
mbnocx
(@mbnocx)
Is there a way (of course there is but I wonder the best way) to start over with a fresh .htaccess file and then activate each of the options we want in this plugin? I only have a couple of backups of my .htaccess and they were all when having All In One WP Security installed. I can easily write down all the checkboxes I have selected, uninstall the plugin, and reinstall again. But, my guess would be that the .htaccess won’t go back to the standard. Any ideas of the best way for this? Then I can only select the rename and not touch cookie based options. Just an idea. π
@mbnocx,
If you don’t want to use your .htaccess backups then you can simply edit the existing .htaccess file and remove all of the code between and including the following tags:
# BEGIN All In One WP Security
# END All In One WP Security
@appleisle,
Thanks for the info. So far we haven’t been able to reproduce this issue but we will keep trying and hopefully we can pin down the reason you are seeing it.
Thread Starter
mbnocx
(@mbnocx)
OK, that was simple. I don’t know why I just didn’t look at the file. π Thanks! I will re-post back once I have tried going back.
Thread Starter
mbnocx
(@mbnocx)
Good news! The problem is fixed. π
Here is what I did:
* I wrote down all of the settings that I had enabled in this plugin and then disabled the security and firewall features.
* I had already backed up the .htaccess file and removed all the references to this plugin as discussed above.
* Once I disabled the security and firewall features, I uninstalled the plugin completely.
* I then replaced the .htaccess file with the more basic one (no All In One WP Security references).
I reinstalled the plugin and started re-selecting all of the features I had previously chosen. After every few screens I would test the access from both my home PC and work PC. After about half way through, the problem returned. I narrowed down the problem to one specific checkbox.
With the Rename Login Page option enabled (no other brute force options were chosen) I had the problem when I also selected Firewall > Additional Firewall Rules > Proxy Comment Posting (Forbid Proxy Comment Posting). With this feature selected and the rename option enabled I cannot login from other PC’s. As soon as I disabled this Forbid Proxy Comment Posting option the problem went away.
If anyone else is having this problem try removing the one option above and see what happens. I am curious if this solves Dennis’ (appleisle) issue as well.
@mbnocx
Thanks for the info!
We will do some tests with the settings you mentioned.
