brute force blocking

  • Hello,

    I’m using the plugin Loginizer to add Brute Force Protection to my site but there is nothing protecting the UM login. What do you offer that does this? I have been hit by over 200 attempts in less than 24 hours. They where getting the username of the admins using https://{DOMAIN}/wp-json/wp/v2/user_request because WordPress sets the nicknames the same as the user login name and that API request gives shows the nicknames. I have added a plugin to block access to the user_request and I have changed the nicknames and usernames to be new and different in the DB. I now need a way to secure UM.

Viewing 1 replies (of 1 total)

  • Not sure if there is already a plugin for that, but if not it should not be hard make one.

    In fact I just checked and you have two hooks that can help you achieve that:

    wp_authenticate
    wp_login

    I recently noticed as well the wp-json endpoint (only been programming in wordpress for the last 4 months). Not sure why the users endpoint is open but it does imply unknown users can gather the login name… not very safe I’d say, although they can also figure that out by clicking on the author of a post.

Viewing 1 replies (of 1 total)
  • The topic ‘brute force blocking’ is closed to new replies.