WordPress.org

Ready to get started?Download WordPress

Forums

All In One WP Security & Firewall
[resolved] Rename Login Page VS Cookie Based Brute Force Prevention? (18 posts)

  1. Ipex Media
    Member
    Posted 3 months ago #

    What's the difference between these 2 as the heading says?

    They sound like the same thing, with the user assigning as secret login word for the where the wp-login.php file is located.

    Can I have both of these enabled, or both will conflict? Then why have 2 of these seemingly same thing if one is better option than other?

    https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  2. mra13
    Member
    Plugin Author

    Posted 3 months ago #

    Underneath they are very different. One uses cookie, the other one doesn't. They can't both be enabled at the same time because they will conflict. I would recommend that you try the "rename login page" option first.

  3. Ipex Media
    Member
    Posted 3 months ago #

    Ok, what's the benefit of using cookie or not using cookie?

    Why would I prefer and when to use one over the other?

  4. mra13
    Member
    Plugin Author

    Posted 3 months ago #

  5. Ipex Media
    Member
    Posted 3 months ago #

    Yes, I read through that and didn't explain my question doesn't explain the difference between these two.

    They both do the same thing of accessing the login page through rerouting a different link.

  6. mbrsolution
    Member
    Posted 3 months ago #

    Hi @Ipex Media, I had a read through the URL that @mra13 provided above.

    Answering your question

    Ok, what's the benefit of using cookie or not using cookie?

    Why would I prefer and when to use one over the other?

    If you read the following part from the URL above, it answers your questions.

    The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.

    Let me know if that helps you.

    Kind regards

  7. Ipex Media
    Member
    Posted 3 months ago #

    I know, and it sounds exactly like what the Rename Login does by having a different slug at the end of the domain to access the login page.

    A demonstrative video would help, instead of explaining something on text that sounds exactly the same thing as each option would do.

    That just explained the features, but doesn't answer the question was a comparison.

  8. mbrsolution
    Member
    Posted 3 months ago #

    Yes it probably does sound the same but in this security settings you are adding another level of security by utilizing a cookie.

    Another words the cookie has some secret content and if the user tries to log in without the cookie present in the browser then they are redirected to another page depending on your settings.

    Let me know if that helps you further?

    Kind regards

  9. Ipex Media
    Member
    Posted 3 months ago #

    So the Cookie Based Brute Force is a better superior option than Rename Login?

    Then why have both options then, when CBBF is better than RL, and we can only select either one at the same time?

  10. mbrsolution
    Member
    Posted 3 months ago #

    From what I know about this great plugin, having different options of security caters to all users needs.

    Remember you probably won't be able to enable all the security features in the plugins for various reasons and if you try to without thorough testing you might lock yourself out of your site. It has happened to many. That is why the developers have gone to extra lengths to add lots of instructions for everyone to read before they enable and implement an option.

    I don't enable this security feature in the plugin for my websites instead I use Google Authenticator and this plugin, which gives me the level of security I am happy with.

    However my setup might not work for everyone hence the reason why there are many security options available for you to choose from.

    I hope this helps you further. If you need more help let me know.

    Kind regards

  11. wpsolutions
    Member
    Plugin Author

    Posted 3 months ago #

    @Ipex Media,
    The main difference is that the cookie based feature does its defending at the .htaccess level (eg,apache) and the rename login feature stops people at the php level.

  12. mbrsolution
    Member
    Posted 3 months ago #

    Thank you @wpsolutions :) I will remember this from now on....

    Kind regards

  13. Ipex Media
    Member
    Posted 3 months ago #

    @wpsolutions
    Honestly, I'm still not sure what that's supposed to mean practically.

    For example, how is defending at .htaccess level better/preferred than at the php level, and vice-versa?

    It would help if you had a demo video or comparison VS chart to allow us to choose the better option.

  14. wpsolutions
    Member
    Plugin Author

    Posted 3 months ago #

    Hi @mbrsolution,
    Anytime mate! :)

  15. wpsolutions
    Member
    Plugin Author

    Posted 3 months ago #

    @Ipex Media,
    Basically the 2 features aim to do the same thing - ie, to protect the login access to your wordpress site.

    The cookie based feature will not work on some servers (eg, nginx) because they have a different setup and don't use .htaccess files.
    That's why we introduced the rename login feature because this will generally work on most servers.

    That's the essential difference and the reason we have both features available is to cater for those people who can't use one of them.

    We do have a video for the cookie based feature because that is slightly more complex:
    http://www.tipsandtricks-hq.com/all-in-one-wp-security-plugin-cookie-based-brute-force-login-attack-prevention-feature-5994

  16. mra13
    Member
    Plugin Author

    Posted 3 months ago #

    When a hacker is trying to guess the URL, blocking them on a htaccesss level is much more efficient because your WordPress is not loading every time the hacker is making a guess so your server resource is not getting drained by some spammer.

    When you do things on a PHP level, your site is loading which is costing you resource. So if a bot is doing thousands of guesses per X minutes and your server is loading the whole PHP environment, it can make your site super slow (because the server resource is being hogged).

  17. Ipex Media
    Member
    Posted 3 months ago #

    Thanks mra13, that's exactly the answer I was looking for.

    If that's the case CBBF should be the default and the RL should be alternative if the former doesn't work.

  18. Ipex Media
    Member
    Posted 2 weeks ago #

    I have tested this using the Cooke Based, and apparently it doesn't work when I go to the URL http://www.socialskills101.com/?secretword=1.

    Plus, if the hacker knows about wp-login.php, that will go to the wp-admin instead.

    So I have used Redirect instead of the Cookie.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.