Hi,
We cannot check whether it is valid or not as that would defeat the main purpose of the protection, which is to protect at the lowest level. Otherwise, WordPress would load (as well as its plugins), would send dozens of queries to the database and would make a few other operations/calculations.
However, the protection is quite flexible. The default values, 8 POST requests / 15s, is fine for most users. You may want to lower to 10s or increase to 10 POST requests. If you disabled it, check your HTTP log and you’ll see how many consecutive POST requests are sent from your desktop. You could adjust the protection accordingly.
If you have a static IP, you can whitelist it with the help of the “.htninja” configuration file (that file is processed before the brute-force attack protection).
Thread Starter
ecdltf
(@ecdltf)
Thanks for the fast and thorough reply!
Otherwise, WordPress would load (as well as its plugins), would send dozens of queries to the database
OK, I understand. (And that’s exactly why I like this plugin: it doesn’t seem to slow down my site. So, you’re right, we absolutely don’t want to trade in this advantage! (Go figure, before this, I’ve tried another firewall plugin which increased my page load time by 1.1s!))
You may want to lower to 10s or increase to 10 POST requests.
Yes, thanks, with 10 request per 15 seconds it goes through. According to the log it makes 1 request per 1.68 seconds.
8req/12s or 6req/9s works also. I guess the shortest one is the most sensible and thus preferable(?)
A strange thing I noticed:
When my desktop editor gets blocked it shows me a HTTP authentication dialog, saying that there is a second level protection. But it doesn’t accept the ID/PW (the one from Ninja).
Yes, the PW is correct; I made a test with the web browser (with the Login Protection forced to “Always”) and there the HTTP authentication (from Ninja) is accepted.
Hi,
Either one is fine.
Regarding the failed password, maybe your application is using/expecting HTTP Basic authentication ? But NinjaFirewall relies on cookies instead.
Thread Starter
ecdltf
(@ecdltf)
maybe your application is using/expecting HTTP Basic authentication ?
Yes, probably. (Besides that, it seems that this feature never really worked.)
Thanks again for the good support.
Best wishes