Multi-site best practices for cookie brute force

  • I am trying to determine if the cookie based brute force protection works with multisite. I’ve activated the plugin on the main site and can only login to the main site using the mydomain.com/?term=1. Trying to log into sub sites yields no login page (e.g. subsite.com/?term=1 (if using WordPress MU domains plugin) or even sub.mydomain.com/?term=1.

    Furthermore, if I login to the main site and then navigate to a sub site (as a super admin) I cannot access “edit post” links from the front end of the sub site and am redirected to 127.0.0.1.

    Is the cookie brute force protection not compatible, or is there a different method I need to employ? Perhaps activating the plugin for each sub site?

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, can you activate the plugin on each sub site. Carry out a test and report back.

    Thank you

    Thread Starter crazywhistlepig

    (@crazywhistlepig)

    So to do that, I have to create a different term on the subsite. E.g.:

    mainsite.com/?termA=1
    sub.mainsite.com/?termB=1

    However, the plugin only writes the latest change to .htaccess, negating the prior site’s cookie. If I backup the .htaccess file and combine the rewrite directives I can get it to work, however this is not ideal or convenient, especially with over 30 sub sites.

    I also have to set the WordPress MU Domain Mapping plugin to disable primary domain check if I want to be able to use the edit links from the front end of the current theme.

    I’m eager to try this method of brute force protection, seems like it will work very well. Redirecting to 127.0.0.1 is brilliant!

    Thanks!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, thank you for the extra information. This will help the developers investigate your findings further.

    Unfortunately I don’t have a multisite set up in my testing environment, so I can’t test your situation further.

    Regards

    Thread Starter crazywhistlepig

    (@crazywhistlepig)

    Thanks! I do have a multisite test environment and would be happy to help further if needed.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi,
    The cookie based brute force feature is not supported for multisite. If I remember correctly that menu item should not be visible in the admin area of child sites.
    Having said that, you can use the rename login feature for multisite setups.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Multi-site best practices for cookie brute force’ is closed to new replies.