Brute Force configuration are not taken into consideration

  • Resolved nouha88

    (@nouha88)


    3 years ago

    Hello,

    I’d like to thank you for this awesome plugin.

    However, there is something wrong with Brute Force settings.

    It works well first time configured, but then after some time (I don’t know precisely how much), the configuration is still there but doesn’t seem to be taken into consideration.

    We can connect with both the secret key and wp-admin.

    I’ve noticed that while seeing how much failed connection attempt we’ve had on websites.

    We have to resave the settings, so it can be functional one more time.

    Could you please look into this issue?

    Thank you.

    Nouha Balti

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 years ago

    Hi @nouha88

    If you have access the with {siteurl}?{secretword}=1 it will be available be for next 24 hrs you can access with wp-admin.

    Failed connection can be by XML RPC and admin username gets exposed to user enumeration please cross check below two settings.

    1. XML RPC call of wp_getUsersBlogs is trying to authenticate the user. – WP Security > Firewall > Basic firewall rules tab > Completely block access to XMLRPC , Disable pingback functionality from XMLRPC Please check both and Save.
    2. stop user enumeration not on It might be the reason your admin username exposed – WP Security > Miscellaneous > User enumeration tab check there

    Regards

    Thread Starter nouha88

    (@nouha88)

    3 years ago

    Hello,

    Thank you for your reply.

    I’ll do as mentioned. Thank you.

    Regards

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 years ago

    Hi @nouha88

    Ok, Keep me posted.

    Regards

    Thread Starter nouha88

    (@nouha88)

    3 years ago

    Hello,

    The account names can no longer be traced, but we still encounter a problem.

    In Cookie Based Brute Force, there is a prefix that should be considered, but it seems to be ignored.

    Users can access the back-office login page using both the prefix and wp-admin.

    However, they are unable to log in, and instead of reaching 127.0.0.1, they can access the wp-admin page.

    I have tried saving the prefix again, but I suspect that after approximately a week, the back-office will be accessible through wp-admin.

    I hope I have provided a clear explanation of the issue. Thank you for your assistance.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Brute Force configuration are not taken into consideration’ is closed to new replies.

  • 4 replies
  • 2 participants
  • Last reply from: nouha88
  • Last activity: 3 years ago
  • Status: resolved