Secure Image for Login and Registration

There have been no spam registrations reported here, so I don’t think that would be necessary. In fact, it would be an inconvenience to your users. Have you received any spam registrations?

As for the login page, just edit the wp-login.php file.

No, I haven’t, I was just trying to ensure it didn’t happen. Also, is there a way to integrate the template’s layout around the login box?

It won’t happen. I’m not sure why, but it hasn’t happened yet. If it ever does happen, you’ll hear about it here first, unless it happens to you first.

As for integrating the template’s layout with the login box, I’m not sure about that. You’ll probably have to wait for someone else to come along with an answer to that. Alternatively, you could integrate your login box with your template layout:

https://www.ioerror.us/2005/04/14/wordpress-sidebar-login-form-hack/

Thanks! I actually implemented that on my site:)

There have been no spam registrations reported here, so I don’t think that would be necessary.

well.. it just happened to me tonight. Over the period of about 2 hours someone (from the same IP address) ran through the registration process an average of 4 times per second.

All the “registrants” were sequential:
abcdefghijklmnfoo7.0007324218750
abcdefghijklmnfoo7.0007324218751
abcdefghijklmnfoo7.0007324218752
abcdefghijklmnfoo7.0007324218753
abcdefghijklmnfoo7.0007324218754 … etc …

everytime someone registers WP sends them an email and me an email. in this case i was also recieveing “delivery failed” messages as well, since all the address were bogus.

becuase of all that email traffic i quickly blasted past my ISP’s per-hour email limit and was shut down.

I would love to have a secure image registration process.

Cant tell what version youre running, keaven, since youve deleted it from your source, however there is a nifty little plugin available from here:

https://redalt.com/

The plugin name is armor and perhaps owen, or someone else, can provide the full link, I couldnt find it.

This will help combat that sort of stuff.

The other thing you can do if youre not running 2.* (OR even if you are running 2.*) is just restrict access to wp-register.php IF theyre not coming from your domain.

There is a publically available script thats responsible for what you experienced. the path, wp-register.php is hardcoded into it. so a simple

RewriteCond %{HTTP_REFERER} !^https://([^.]+.)?yoursite.com/.*$ [NC]
RewriteCond %{REQUEST_URI} ".*wp-register.php$"
RewriteRule .* - [F]

in your .htaccess will also thwart that crap.

hope that helps ??

PS: It is also a good idea to keep bots off wp-register.php as well via robots.txt

Thanks whooami. I added that bit to my .htaccess, and i’ll hunt on that site to see if i can find what you’re talking about.

I’m using 2.0.2 (2.0.1 last night when i was attacked). This is the second time this month that i’ve been taken down. I can’t say why. Its a personal blog, and its not like i’m ever mean to anyone.

[shrug] oh well.

youre very welcome, and good luck. that .mod_rewrite rule alone will take care of any repeat attempts, as long as its the same person/people and theyre not smart enough to make a few changes to the current script thats out there.

Moreso, theres no reason I can think of for anyone to be hitting that particular page UNLESS theyre coming from your site, so its always made sense to me to restrict hits to it.

It’s happening now. Here‘s a fix.