WordPress.org

Forums

Login LockDown
[resolved] Page Hits (10 posts)

  1. Stu
    Member
    Posted 9 months ago #

    I had a persistent bot(s) hitting me up yesterday and happened to be tailing the log in real time over about a 10 minute period. It was brute force from 2 simultaneous IP's in the same country. Anyway, Login Lockdown banned them, but they did not stop hitting the wp-login.php page at a rate of about 2 times per second for quite a while until I physically closed the connection.

    The question is if the bots are banned, the plugin is not actually stopping them from continuing to hit the login page? (or, I'm totally off on my assessment). If true though, how is the plugin denying them trying to fill out the form if they can continue to hit the page?

    thx for any insight on this,
    stu

    https://wordpress.org/plugins/login-lockdown/

  2. gurumoz
    Member
    Posted 9 months ago #

    Don't rely on a plugin to handle that. Try putting it captcha auto_prepend_file = /home/WP-LC/wp-lc.php from the /etc/php.ini file.

    Also use .htaccess in your /wp-admin/ area and lock it to your IP address. Here's a sample:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "NO Access"
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    allow from your.ip.address.here
    </LIMIT>

    GuruMoz
    [sig moderated as per the Forum Rules]

  3. mvandemar
    Member
    Plugin Author

    Posted 9 months ago #

    @Stu - I have no idea what @gurumoz is talking about as far as the auto_prepend code goes, as doing anything of that nature will not stop bots from trying to access the form. The bit about the .htaccess file is correct though. This version of the plugin does not prevent the actual attempts to log in, only from logging in successfully after x number of failed attempts.

    If you are on a static IP and only need to access the site from 1 location then restricting to a single IP via .htaccess would work to stop the bots (and all bots, actually). If you need something more permissive, then you can add an additional layer of protection by adding an http auth to wp-login.php directly. I will incorporate that option into the next version of the bot.

  4. Stu
    Member
    Posted 9 months ago #

    Thanks very much for the info.

    I'm using Nginx directives rather than .htaccess based on my setup.

    The problem here is anything in the .conf files are going to affect all sites on this machine and I have admins & editors in different countries using IP addresses that will end up changing etc etc.

    I think the best route for me is to limit connections like this that flood the login page.

    cheers
    stu

  5. mvandemar
    Member
    Plugin Author

    Posted 9 months ago #

    @Stu - one solution I use to limit the bots where there are a lot of users is an http login that needs to be passed to get to the WordPress login, but I put the username and password into the title of the http auth, eg:

    "WordPress spam protection: Enter USERNAME: human PASSWORD: password"

    It doesn't stop people from getting in, since they can make sense of the title, but bots won't be configured to read that so will be stopped from hitting the login form, and thus not eat up any resources. I used that on one client's server who had over 150 client sites on there, and while he did get some calls asking about it, in the end it greatly reduced the load the bots were causing.

    -Michael

  6. Stu
    Member
    Posted 9 months ago #

    @Michael - I see fundamentally how to do this using the ngx_http_auth_basic_module... but I don't quite understand how to pass a title as you mentioned. Is this what you have done on a set up like mine (Nginx)?

    Thanks
    Stu

  7. mvandemar
    Member
    Plugin Author

    Posted 9 months ago #

    @Stu, based on this page:

    http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

    It looks like with the example config:

    location / {
        auth_basic           "closed site";
        auth_basic_user_file conf/htpasswd;
    }

    "closed site" would be the title of the auth login box.

    -Michael

  8. Stu
    Member
    Posted 9 months ago #

    Ahh... doh !

    Have a great weekend Michael.

  9. Stu
    Member
    Posted 9 months ago #

    Got auth_basic working... but now it wants to download the page.

  10. mvandemar
    Member
    Plugin Author

    Posted 9 months ago #

    @Stu, while I have seen similar behavoir on Apache I am not really familiar with ngix. I would suggest asking on the either stackoverflow or the Unix Stack Exchange forum here for that one:

    http://unix.stackexchange.com/

    -Michael

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.