Support » Plugin: Login LockDown » Page Hits

  • Resolved Stu


    I had a persistent bot(s) hitting me up yesterday and happened to be tailing the log in real time over about a 10 minute period. It was brute force from 2 simultaneous IP’s in the same country. Anyway, Login Lockdown banned them, but they did not stop hitting the wp-login.php page at a rate of about 2 times per second for quite a while until I physically closed the connection.

    The question is if the bots are banned, the plugin is not actually stopping them from continuing to hit the login page? (or, I’m totally off on my assessment). If true though, how is the plugin denying them trying to fill out the form if they can continue to hit the page?

    thx for any insight on this,

Viewing 9 replies - 1 through 9 (of 9 total)
  • Don’t rely on a plugin to handle that. Try putting it captcha auto_prepend_file = /home/WP-LC/wp-lc.php from the /etc/php.ini file.

    Also use .htaccess in your /wp-admin/ area and lock it to your IP address. Here’s a sample:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “NO Access”
    AuthType Basic
    order deny,allow
    deny from all
    allow from

    [sig moderated as per the Forum Rules]

    Plugin Author mvandemar


    @stu – I have no idea what @gurumoz is talking about as far as the auto_prepend code goes, as doing anything of that nature will not stop bots from trying to access the form. The bit about the .htaccess file is correct though. This version of the plugin does not prevent the actual attempts to log in, only from logging in successfully after x number of failed attempts.

    If you are on a static IP and only need to access the site from 1 location then restricting to a single IP via .htaccess would work to stop the bots (and all bots, actually). If you need something more permissive, then you can add an additional layer of protection by adding an http auth to wp-login.php directly. I will incorporate that option into the next version of the bot.

    Thanks very much for the info.

    I’m using Nginx directives rather than .htaccess based on my setup.

    The problem here is anything in the .conf files are going to affect all sites on this machine and I have admins & editors in different countries using IP addresses that will end up changing etc etc.

    I think the best route for me is to limit connections like this that flood the login page.


    Plugin Author mvandemar


    @stu – one solution I use to limit the bots where there are a lot of users is an http login that needs to be passed to get to the WordPress login, but I put the username and password into the title of the http auth, eg:

    “WordPress spam protection: Enter USERNAME: human PASSWORD: password”

    It doesn’t stop people from getting in, since they can make sense of the title, but bots won’t be configured to read that so will be stopped from hitting the login form, and thus not eat up any resources. I used that on one client’s server who had over 150 client sites on there, and while he did get some calls asking about it, in the end it greatly reduced the load the bots were causing.


    @michael – I see fundamentally how to do this using the ngx_http_auth_basic_module… but I don’t quite understand how to pass a title as you mentioned. Is this what you have done on a set up like mine (Nginx)?


    Plugin Author mvandemar


    @stu, based on this page:

    It looks like with the example config:

    location / {
        auth_basic           "closed site";
        auth_basic_user_file conf/htpasswd;

    “closed site” would be the title of the auth login box.


    Ahh… doh !

    Have a great weekend Michael.

    Got auth_basic working… but now it wants to download the page.

    Plugin Author mvandemar


    @stu, while I have seen similar behavoir on Apache I am not really familiar with ngix. I would suggest asking on the either stackoverflow or the Unix Stack Exchange forum here for that one:


Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Page Hits’ is closed to new replies.