[Plugin: Better WP Security] Bypass to Login hide (or "hide backend")

Keeping an eye on this thread. Thanks to OP.

Author answered.

He said he’s doing a complete rewrite of that system and it will be ready in the next few months.

Unfortunately I need a workaround in less time. Attacks are increasing too much.

I removed at all the ^loggedout=true lines and I didn’t see attacks today.

Is it a good solution?

Glad to know the author is fixing it. This issue has been troubling many WP users including me.

Glad to hear he is working on it. Not sure about your workaround solution. Can you provide specifics?

https://www.ads-software.com/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how?replies=6

the solution proposed there by Handoko causes an infinite redirect on chrome

At Step 4, I just removed the lines showed in step 3

Logout works, login works, wp-login.php?loggedout=true is not more accessible.

I don’t know if there are side effects, hope a .htaccess guru can help

2 giti
I think in case if BWPS will automatically update ban users list due to lockout, these lines could be repaired.

I am baffled. When I read the header response for:
https://www.mysite.com/wp-login.php
I get a 302
(which makes sense since I am HIDING the BACKEND using WP-Better-Security.)

However, in my access logs for the last 24 hours, I see about 4000 attempts to access wp-login.php that get a 200 response. For example:

1XX.1X.1XX.XX6 – – [12/Jul/2013:09:17:06 -0400] “POST /wp-login.php HTTP/1.0” 200 3880 “mysite.com/wp-login.php” “Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0”

How is this possible?

Of course, they are being locked out per the LIMIT LOGIN parameters, but they are still eating up my resources.

@barbfeldman

Did you read the above comments? there is explained the cause of this issue and there are also workarounds

@giti

I did read the comments, but the access_log is NOT showing hits to “wp-login.php?loggedout=true” … the only hits to “wp-login.php?anything-at-all” are the ones that include my WP-Better-Security secret key (and these are all legit!)

@barbfeldman

same here now, 250 attacks in the last few minutes

Let me restate this a little clearer.

The wp-login hits I am seeing in my access_log ARE NOT taking advantage of the “wp-login.php?loggedout=true” loophole.

The access is straight to “”wp-login.php” … and the server is responding with a “200 all okay status code” NOT the “302 redirect to /notfound” that I see when I try and read the status code from “wp-login.php”.

Attackers are doing POSTs, and after a little investigation it seems that this plugin doesn’t protect from POSTs at all….

These Brute Force Login POST attacks are all using Server Protocol HTTP/1.0. We have researched, tested, documented and are using the successful solution in the link below.

https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

We are successfully blocking 280,000+ Brute Force Login attacks per month on our websites with this .htaccess code, which you can add to your root .htaccess file.

If you have a BuddyPress/bbPress Forum site then here is a similar solution that blocks spam registrations and Brute Force Login attacks.
https://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/

AITpro thank you but I’m fairly certain that implementing your strategy ended up breaking my entire permalink structure. Everything but my home page and admin page yielded 404 errors until I scrapped the .htaccess with your code.

Not sure why that would be. This code does not have anything to do with your permalink structure. Are you adding the code to the bottom of your root .htaccess file? This code is stand-alone code that should come last in your root .htaccess file. You would add this additional code to your existing root .htaccess file code and NOT replace or remove any of your existing root .htaccess file code.