Brute force cookie prevention not working

Hi,

Are you on the latest version of AIOS 5.1.1?

Yesterdays update changed how the brute force cookie protection works, it now runs via our PHP based firewall.

I’m unable to reproduce the above, once I change the secret word the previous cookies are invalid.

Have you got any other features turned on in the plugin to block these attempts?

Best Wishes,

Ashley

Hi, thank you for you answer.
I do NOT have PHP-based protection enabled. I only have the cookies option activated. This morning I saw those access attempts on a website. I changed the keyword of the URL, and instantly access attempts followed, as if that change did not prevent anything. I can’t tell you if this has happened with the previous version of the plugin. It turns out that I manage a lot of websites, and this morning I just finished updating a few. This I cannot confirm. Now if the plugin is updated on all websites.

Excuse me, obviously I use a translator plugin.

Confirmed. New version of the plugin. PHP protection enabled. I have changed the cookie protection keyword. Access attempts continue.

@conrad8

If someone try attempt to access wp-admin with guessing secretword.

You can use the Bruteforce > Login whitelist to add your IPs and that will be only allowed to access the login page.

Also if you know the IPs trying access attempts you may Blacklist the IPs from Blacklist manager.

Regards

But there is something wrong with the plugin. I have the new version. I have activated the protection with PHP. I’ve changed the password, and the login attempts keep coming. How is it possible that I get login attempts from different IPs that shouldn’t know the new password? It should be IMPOSSIBLE for them to know the new keyword. There is something not doing the job right in the plugin.

Hi,

Where to in the plugin do you see these login requests?

Best Wishes,

Ashley

Hi

User access > Failed access log.

I have deactivated the plugin, reactivated it, and now it seems to be working. I have activated the protection with PHP. It seems that now it is working correctly. One question: the keyword that is inserted in the URL with the cookies option, does not appear in the .htaccess file. That word appears in the database, in some file? I ask in case I ever lose, or forget, that word. What should I do? Where do I look for it?

What surprises me is that this problem started yesterday on several websites, when previously they had no login attempts. Maybe for some reason the old version of the plugin was affected, or maybe the new version has made this possible. I honestly don't get it. I don't know for what reason since yesterday I have received login attempts on websites where I have cookie protection activated.
I'm going to deactivate the plugin. I'll turn it back on. I will accept the protection with php, and I will change the keyword.

Hi,

I’m glad it’s working for you now.

I’ll try and reproduce this upgrade problem.

If you forget your word it can now be found in:

wp-content/uploads/aios/firewall-rules/settings.php

Best Wishes,

Ashley