iThemes Security (formerly Better WP Security)
After enabling Hide Backend still I am getting bad login attempt how? (7 posts)

  1. tejprakash2580
    Posted 3 years ago #

    Sir ,
    Thanks for your plugin and nice interface, I have a query I have enabled hide backend with custom login slug and security key. Also I have limit login attempt to 3 per host , 5 per user. Also I am using Google authenticator plugin to log on my site.
    But I surprise in Logs I have seen daily 200-300 bad login attempt with user admin ( There is no user with admin). How these guys able to access login screen without knowing login slug and secret key. From where they get to know about secret key.
    Where is the vulnerability so that I can correct them, I am not having too much of coding knowledge but I can correct them if I found the cause.

    Thanks in advance.


  2. Handoko
    Posted 3 years ago #

    I have same problem and I found it has been discussed here:


    Currently, I manually ban the IP who has 3x attempt to login. Hope the author of Better WP Security can fix it soon.

  3. Handoko
    Posted 3 years ago #

    Hello, I have a quick fix if you want to try.

    WARNING before you try it:
    - I have try it on my website and it works, but I guarantee nothing.
    - Don't blame me if it breaks your website.
    - Backup your website before you try, especially the .htaccess file.

    Step 1
    Save your .htaccess file to your local computer (using cPanel > File Manager or FTP)

    Step 2
    Open the .htaccess file using a text editor.

    Step 3
    Find these text:

    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule ^.*$ /wp-login.php?blablablablabla [R,L]
    # END Better WP Security

    Step 4
    Change it to:

    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule ^.*$ / [R,L]
    # END Better WP Security

    Step 5
    Save it back to your website.

    - The text:blablablablabla is your secret key.
    - Remember do backup before you try.

    The disadvantage of using this trick is if you save your setting on Better WP Security, the text will be revert to the default.

    Good luck.

  4. SoftBlue
    Posted 3 years ago #

    Thanks for the fix.

    On my site (using Chrome), the above fix seems to result in a recursion within .htaccess that ultimately resolves with a browser reported error. This doesn't work well for me because it is where I get dumped off to after doing site updates & maintenance.

    Using the following I was able to change the location to the default page for my site:

    RewriteRule .* http://mydomainname.com%{REQUEST_URL}? [R=301,L]

    I'm not proficient with .htaccess & regular expressions, so there must be a more elegant solution. Please exercise caution and use the previously mentioned precautions.

    Hopefully this will be fixed in an upcoming release of the plugin.

  5. Handoko
    Posted 3 years ago #

    Great alternative of the rewrite rule on Step 4.

  6. mindspins
    Posted 3 years ago #

    Serious flaw, but this explains the ongoing attacks. Curious to see what the author has to say. For now I have to agree with Handoko and SoftBlue.

  7. Jerremy
    Posted 2 years ago #

    You can also just edit your .htaccess properties to 777, save a page of WP Better Protect, and put the properties back to normal. Check your .htaccess again, and it'll be modified.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic