Support » Plugin: Easy Bruteforce Protect » Still tripping limit login attempts notices

  • I need to study the .htaccess code that BFP inserts, but I am getting some really weird results.

    Even with this plugin, I’m getting notices from limit login attempts that my threshold was being exceeded, which is something I don’t understand. Isn’t this entry in my .htaccess supposed to block brute force attempts *before* WordPress even loads?

    I have also tried whitelisting my IP in .htaccess — with the same result. The 50 times a day notices are down to three or four per week, but still, how is this even possible? Is there a login back-door somewhere in WordPress?

    This BTW is on all of my sites. Here is a link to one:
    http://causesofeatingdisorders.org/

    https://wordpress.org/plugins/easy-bruteforce-protect/

Viewing 1 replies (of 1 total)
  • Thread Starter Howard Harkness

    (@chltx)

    Here is the contents of the .htaccess file in the directory that contains wp-login.php (my IP address has been replaced with xxx.xxx.xxx. (top 3 octets, since I’m on DHCP).

    # BEGIN EASYBFP
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://causesofeatingdisorders\.org [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    </IfModule>
    # END EASYBFP
    
    <Files wp-login.php>
    Order Deny,Allow
    Deny from All
    Allow from xxx.xxx.xxx.
    </Files>

    The wp-admin directory has a similar whitelisting, in the form:

    Order Deny,Allow
    Deny from All
    Allow from xxx.xxx.xxx.

    BTW, the examples I saw had those two last lines reversed. That did not work for me, but the code above does. I tried it using a proxy server and got the expected access denied error.

Viewing 1 replies (of 1 total)
  • The topic ‘Still tripping limit login attempts notices’ is closed to new replies.