Support » Plugin: Limit Login Attempts Reloaded » Kick it out – Mega Huge Log Files to get your teeth into, Hackers live here.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Horrid ain’t it, .. for all those poor souks who managed to get to the end: here’s the conclusion as to what’s going wrong, (or right), depending on your take on it.

    FIRSTLY: – This plugin is doing what it’s supposed to do, namely kick out people who enter their web credentials incorrectly, who would be mainly Hackers.

    Despite having this plugin installed, and one that hides my login files — I’m being constantly hacked because of one reason, FIREFOX.

    The comments below is the conclusion of my research into the matter, and I’ll state again that it has absolutely nothing to do with this most excellent plugin. The comments were only there originally because I didn’t know which plugin was causing the problem, and it ain’t this one.

    From a hiding your wp-login.php plugin page:-
    And it could apply to (all) of them.

    OK Chaps, this is a mitigated disaster ..

    I have been digging deep into the underbelly of the web, and found an article on WordPress . (org) about this issue of hackers getting at your login.php file in respect of brute force attacks.

    https://wordpress.org/support/topic/the-hidden-url-can-be-bypassed-in-firefox/

    I’ve hiding the link so it shouldn’t be flagged up, which also means that you can copy it for yourselves if you so wish.

    Conversationally in the article, and using a special string: Firefox alone, out of all the other browsers out there,.. is able to reveal your special hidden WordPress link.

    You have to use this string /%77%70%2D%6C%6F%67%69%6E.%70%68%70 in front of your web site when using the Firefox browser.

    As in:-
    http://www.mysite.com/%77%70%2D%6C%6F%67%69%6E.%70%68%70

    And this will display the hidden URL login page.

    I simple don’t know why the hackers are hammering my site, it’s nothing special and is only there or my entertainment only, but the one thing I’ve taken away from this episode of trying to stop them, is the fact that this plugin: like all the others that supposedly hide your wp-login.php file, do not work.

    BTW, that article appeared on the WordPress . (org) site 4 years ago, and the Firefox issues has still not been sorted.

    Hope it helps, .. Jessica.

    %77%70%2D%6C%6F%67%69%6E.%70%68%70 is nothing but URL encoded value for wp-login.php and in my tests all browsers resolve it to its original value, not just Firefox, at least on Linux.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.