There is a setting/tweak related to removing write permissions from .htaccess and wp-config.php, turn that off and you should be good to go.
http://http://buymanthings.com/
Plugin Author
AITpro
(@aitpro)
The Brute Force Login Protection code would not interfere with logging into your website. Most likely there is some sort of conflict with having more than 1 login security plugin in use – just taking a guess here.
FTP to your website and rename the /plugins/bulletproof-security plugin folder to /plugins/bulletproof-security-hold and then try and login. After you are logged into your site you can rename the /bulletproof-security-hold folder back to /bulletproof-security and then you should check your BPS Login Security settings and if you have another login security plugin installed then you would need to choose which login security feature you want to use, otherwise there will be a conflict since 2 plugins doing the same or similar things will complete and conflict with each other.
Plugin Author
AITpro
(@aitpro)
Also we have been contacted by several people that have had very strange issues with logging into their sites ever since the Brute Force Login attacks started. The issues range from their IP addresses being blocked to their own websites/server to the login page just not being available at all and some even stranger DNS issues. All of these issues are due to hosts taking drastic measures to try and prevent the massive amounts of login attacks.
Thanks for the response. I tried your suggestion: “… rename the /plugins/bulletproof-security plugin folder to /plugins/bulletproof-security-hold and then try and login.” but could not login.
I have a dynamic IP Address so I used 2 octets but the next day I checked my IP Address and it began with numbers that did not relate at all to the numbers in the 2 octets from the day before. So could this be the problem or do I not understand how this works?
In any case, now I simply want to remove whatever needs to be removed (all or part of BPS?) so I can login. Then I can reinstall BPS without the Brute Force Login code and take it from there. I am a big fan of BPS so I just want to get it back to where it was. Also, I am developing more sites and want to buy the Pro version to put on all of them.
But for now, I need to get logged in and get a clean install of BPS on this site. So how do I do that?
Plugin Author
AITpro
(@aitpro)
If your ISP is changing your entire IP address subnet then you would not want to use the Brute Force Login Protection code based on IP address protection and would instead want to use the Brute Force Login protection code based on Server Protocol HTTP/1.0.
Download your root .htaccess file and edit it with either Notepad or Notepad++ ONLY (not Word, WordPad or any other text editor). Replace the IP based Brute Force Login protection code with the Server Protocol based Brute Force Login protection code and upload your root .htaccess file back to your website.
Plugin Author
AITpro
(@aitpro)
The Brute Force Login Protection Forum Topic has been updated to include this help info above.
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
Thanks for the update but where can I get the Server Protocol based Brute Force Login Protection code? I looked but can’t find it. Thanks.
Okay, I got it. Thanks and disregard my last post.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
# All legitimate humans and bots should be using Server Protocol HTTP/1.1
RewriteCond %{REQUEST_URI} ^/wp-login\.php$
RewriteCond %{THE_REQUEST} HTTP/1\.0
RewriteRule ^(.*)$ – [F,L]
Plugin Author
AITpro
(@aitpro)
On most of our sites we have to use Server Protocol based blocking code because we allow folks to register and login. This code is still very effective. 😉 The other IP based code is finite – meaning no one but you can login to your site and we use this on certain sites where we don’t want anyone else logging in, but our ISP always uses the same 3 octect subnet xxx.xxx.xxx. so we can use the first 3 octets of that IP address. 😉
In some ways the Server Protocol based code is actually better anyway. 😉
And of course you can combine the code. 😉
Now things are kind of desperate. I followed your directions:
“Download your root .htaccess file and edit it with either Notepad or Notepad++ ONLY (not Word, WordPad or any other text editor). Replace the IP based Brute Force Login protection code with the Server Protocol based Brute Force Login protection code and upload your root .htaccess file back to your website.”
…. but I get the same notice as before.
example.com 403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
I did not have this problem before I added the Brute Force Login protection code. But now I REALLY NEED to get into the backend.
So please, how do I remove whatever needs to be removed (all or part of BPS?) so I can login? Then I can reinstall BPS without the Brute Force Login code and take it from there. As I said before, I am a big fan of BPS and I am developing more sites and want to buy the Pro version to put on all of them.
But first, I need to get logged in and get a clean install of BPS on this site. So how do I do that?
Plugin Author
AITpro
(@aitpro)
Just delete your root .htaccess file and you should be able to login.
Plugin Author
AITpro
(@aitpro)
After you login you can create new .htaccess files with the AutoMagic buttons and activate them again. Then test whether or not your host allows you to lock your root .htaccess file. It is possible that they do not allow this and that is what is causing the 403 error. If you lock your root .htaccess file and you see the 403 error again then FTP to your website and change the file permission of the root .htaccess file to 644 permissions.
Plugin Author
AITpro
(@aitpro)
1. I deleted the root .htaccess file and was able to login
2. I created a new .htaccess files with the AutoMagic buttons and activated them again.
3. To be certain, I checked the Root .htaccess File Custom Code and saw that the IP based Brute Force Login Protection code was there in the new .htaccess file. So something else is happening here.
4. I deleted the IP based Brute Force Login Protection code, then saved the file.
5. Then I went into my cPanel File Manager and deleted the root .htaccess file again.
6. I then went back to BPS in my WP Admin and I created new .htaccess files with the AutoMagic buttons and activated them again.
7. Then I checked the Root .htaccess File Custom Code again and saw that this time the IP based Brute Force Login Protection code was not there.
8. I logged out but could not log back in.
9. I changed the root .htaccess permissions from 404 to 644 and was then able to login.
But the 404 permission always worked before, so is there a change in this latest version of BPS?
Plugin Author
AITpro
(@aitpro)
We did make changes to all permissions checking and locking coding to improve it and to make sure it worked consistently on all Hosts. There was a permission caching problem that was occuring in previous versions of BPS where the file permissions checks were not accurate due to a known issue with certain php functions caching file permissions and where using clearstatcache does not actually clear file permissions cache successfully.
What is more likely is that your Host has made some changes on their end to their Servers/Server restrictions, etc. In any case, since your Host no longer allows you to lock your root .htaccess file with 404 permissions on their Server then be sure to click the Turn Off AutoLock button (permanently saves the AutoLock Off database option to your database) on the BPS Edit/Upload/Download page, otherwise when you upgrade BPS your root .htaccess file may be auto-locked after the BPS upgrade installation has completed.
