Making brute force prevention feature work for clients

  • Hey,
    I noticed that the cookie based brute force feature only works for the person that enabled it. Is there any way to make it work for other people? We setup WP sites for clients and we are the one’s that enable the plugins, but the client is the one who accesses dashboard to manage the website. Any way we can do that? Maybe turning off cookie, and leaving custom url enabled would be a good option to have. Thanks.

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter Viktor Nagornyy

    (@viktorix)

    I think I noticed that whitelisting an IP address by passes cookie and allows access to wp-login.php using custom URL from brute force prevention feature. Is this correct? Can you confirm?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    I noticed that the cookie based brute force feature only works for the person that enabled it. Is there any way to make it work for other people?

    As long as the person’s browser allows the saving of cookies it will work for anybody who happens to know the secret word which was configured in the brute force settings.

    I think I noticed that whitelisting an IP address by passes cookie and allows access to wp-login.php using custom URL from brute force prevention feature. Is this correct?

    No. If the brute force feature is enabled anybody who doesn’t have the special cookie deposited in their browser will never be able to access the login/admin pages irrespective of whether you have whitelist enabled/disabled.

    To learn more about the brute force feature take a look at this page:
    https://www.tipsandtricks-hq.com/all-in-one-wp-security-plugin-cookie-based-brute-force-login-attack-prevention-feature-5994

    Thread Starter Viktor Nagornyy

    (@viktorix)

    That’s what I was thinking when I set it up originally. But for some reason what happens is this:

    1. If I give someone our secret url to login domain.com/?secret=1 they do not see login page, but instead receive 404 error.
    2. If I add their IP address to whitelist, now visiting domain.com/?secret=1 works and they see login page.

    We verified this on several different client computers, and I was also able to use browserstack.com to verify this on my end.

    What could be causing this?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    What you are seeing is normal behaviour and makes perfect sense.

    The first line of defence in this case is the brute force feature.
    So you clients were successfully passing this test because you gave them the special URL .

    The second line of defence is the whitelist and they were failing this test because their IP addresses were not initially in the white list.
    After you included their IP addresses in the white list they were then able to access the login page.

    Thread Starter Viktor Nagornyy

    (@viktorix)

    I think I understand now, I misunderstood how whitelist was working. I assumed it was bypassing brute force feature if IP was on the list. But it restricts access to those IPs alone instead. Thanks for clarifying it for me.

    wpsolutions, you contradicted yourself in your two answers. First, you said they don’t need to be whitelisted, then you said they did.

    Apparently they do have to be whitelisted ahead of time. It would be better if the plugin would add them to the whitelist if they had the password. It complicates things too much to have to add them first.

    Actually, the “cookie based” thing didn’t work for me at all, even with whitelisting. It would bring up the home page, where the login link is, but as soon as you hit the login link, it went to the https://127.0.0.1 page.

    Trying the secret word on the wp-login.php page doesn’t work either.

    Had to settle for renaming the login page, which I’d rather not do, as I’d like to let regular users log in. For now, I have to do this, as we were getting brute force login attempts that were overloading the server.

    How can I get the cookie based method to work?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    @jamminjames,

    you contradicted yourself in your two answers. First, you said they don’t need to be whitelisted, then you said they did

    You have probably misunderstood my answer – whitelisting is NOT a pre-requisite in order for the cookie-based brute feature to work. IF you decide to use the whitelist feature IN ADDITION to the cookie-based brute force feature, then you will need to also add the appropriate IP addresses to the whitelist.

    So getting back to your situation – you mention something about hitting a “login link”. Clicking a custom login link won’t work if you are using the cookie-based feature. You will need to initially directly type the special URL in your browser in order for the plugin to be able to process it correctly and deposit the cookie into your browser which will then give you access to the login page:
    Eg: https://www.yoursite.com/?yoursecretword=1

    In your case, if you are clicking a link, the chances are that your link will not contain the secret word which makes up your special special URL.

    ps: Next time, can you please open a new thread instead of using a “resolved” one.

    Ok, sorry, didn’t notice this was resolved. I’ll start another, as I still have questions.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Making brute force prevention feature work for clients’ is closed to new replies.