Multi-site best practices for cookie brute force

  • crazywhistlepig

    (@crazywhistlepig)


    8 years, 7 months ago

    I am trying to determine if the cookie based brute force protection works with multisite. I’ve activated the plugin on the main site and can only login to the main site using the mydomain.com/?term=1. Trying to log into sub sites yields no login page (e.g. subsite.com/?term=1 (if using WordPress MU domains plugin) or even sub.mydomain.com/?term=1.

    Furthermore, if I login to the main site and then navigate to a sub site (as a super admin) I cannot access “edit post” links from the front end of the sub site and am redirected to 127.0.0.1.

    Is the cookie brute force protection not compatible, or is there a different method I need to employ? Perhaps activating the plugin for each sub site?

    https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    8 years, 7 months ago

    Hi, can you activate the plugin on each sub site. Carry out a test and report back.

    Thank you

    Thread Starter crazywhistlepig

    (@crazywhistlepig)

    8 years, 7 months ago

    So to do that, I have to create a different term on the subsite. E.g.:

    mainsite.com/?termA=1
    sub.mainsite.com/?termB=1

    However, the plugin only writes the latest change to .htaccess, negating the prior site’s cookie. If I backup the .htaccess file and combine the rewrite directives I can get it to work, however this is not ideal or convenient, especially with over 30 sub sites.

    I also have to set the WordPress MU Domain Mapping plugin to disable primary domain check if I want to be able to use the edit links from the front end of the current theme.

    I’m eager to try this method of brute force protection, seems like it will work very well. Redirecting to 127.0.0.1 is brilliant!

    Thanks!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    8 years, 7 months ago

    Hi, thank you for the extra information. This will help the developers investigate your findings further.

    Unfortunately I don’t have a multisite set up in my testing environment, so I can’t test your situation further.

    Regards

    Thread Starter crazywhistlepig

    (@crazywhistlepig)

    8 years, 7 months ago

    Thanks! I do have a multisite test environment and would be happy to help further if needed.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    8 years, 7 months ago

    Hi,
    The cookie based brute force feature is not supported for multisite. If I remember correctly that menu item should not be visible in the admin area of child sites.
    Having said that, you can use the rename login feature for multisite setups.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Multi-site best practices for cookie brute force’ is closed to new replies.