Hi,
There is no conflict or incompatibility between them, but the fact that NinjaFirewall works before WordPress means that it will block the attack without even loading WordPress. Limit Login Requests will never know about the attack and will not be loaded as well because it relies on WordPress.
Regarding blocking IPs, we released yesterday v1.2.6 which offers the possibility to write the incident, including the IP, to the server AUTH log. Did you check it?
If the AJAX-based WooCommerce login is calling the wp-login.php script, then it is protected as well.
Thread Starter
Lakjin
(@lakjin)
Hi,
How would NinjaFirewall block the attack? I don’t see any throttling of traffic feature, at least not in the free version. (BTW, I’m open to trying the WP+ version, but I want to test free version first to see if it fits my needs.)
I’m afraid I’m not technically sophisticated enough to know what it means to write to AUTH log. What does that do?
My issue is, I cannot afford to block access to AJAX-based WooCommerce login on checkout page because I constantly have legitimate users logging in and out. Is there anyway to NOT protect that with HTTP auth feature and thus only have Limit Login Requests protect it?
Hi,
It does not rely on IPs but on the number of attempts to log in within N seconds. I will password protect it for N minutes:
Password-protect it: For N minutes, if more than N POST requests within N seconds.
“POST requests” is when you submit the login form.
“GET requests” is when you access the login page.
You can disable NinjaFirewall brute-force protection and let Limit Login Requests handles it. If the attacks is not distributed, it should handle it without problem.
Regarding the AUTH log, you can have an overview here.
Thread Starter
Lakjin
(@lakjin)
Hi,
Yeah, I understand how it works. My issue is, I WANT HTTP auth on wp-admin or wp-login.php (when accessed directly and not via AJAX) if a brute force attack is happening (it stops excess load on my server, I’m not really worried about them breaking in cause Limit Login Requests will stop that). But I don’t want it on WooCommerce AJAX logins. Is that possible?
Hi
I will check how does WooCommerce AJAX work, as I need to know whether if sends a POST request to the wp-login page or if it uses WP authentication functions.
Its AJAX login form is a WooCommerce buit-in feature or a WooCommerce plugin?
Thread Starter
Lakjin
(@lakjin)
Both.
The built-in AJAX login form is during checkout (the /checkout page for any WooCommerce website) and WooCommerce also has a non-AJAX login form at /my-account. Then there are plenty of plugins that use AJAX logins.
Hi,
I just tested on a dev server where we have it installed.
It is using WordPress authentication functions, but does not rely on the wp-login.php. I could log in from the check out page without any problem.
You can try it:
1. log in to WP admin console.
2. set NF login protection to “Always ON”.
3. Log out.
4. Delete all your cookies
5. access /wp-login.php (do not log in yet): you will get NF password protected page.
6. access your shop, select a product, go to the checkout page and log in: you should not be blocked.
7. access /wp-login.php: you will still get NF password protected page.
Regarding the checkout process, if you use HTTPS, you can setup NF to filter only HTTP traffic so that you will never block your customers during the checkout (“Firewall Policies > Enable NinjaFirewall for: HTTP traffic only”. This applies to the firewall rules only, not to the brute-force protection.
