Add some basic brute force protection please

discobot · September 8, 2021, 3:23am

I would like to see some basic protection against brute force attacks on the wp-login.php and xmlrpc.php. At the moment, you will need to add plugins and/or disable access to xmlrpc.php using plugins. I hope to see ClassicPress with a basic protection like a captcha on the login page.

Read-only archive: https://petitions.classicpress.net/posts/37/add-some-basic-brute-force-protection-please

Author: Rudy Brinkman

Vote count: 48

Status: Declined

Tags:

request-add-feature

Comments

system · February 26, 2021, 10:21pm

Code_Potent · February 27, 2021, 12:13am

For Apache servers, it only takes a few lines in .htaccess to do what you’re asking. I’m sure nginx has counterpart directives if you’re on that server. These directives kick in before ClassicPress is loaded.

# A message for those denied access.
ErrorDocument 401 "Denied"

# To password-protect the login/admin.
<Files wp-login.php>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/path/to/your/.htpasswd"
require valid-user
</Files>

# To prevent access to xmlrpc.php.
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

One and done. If you don’t get past the server’s user/pass prompt, ClassicPress isn’t even loaded. If you do pass the prompt, then you get the normal login page where you can then login as usual. This isn’t a guess; I use this very technique on my own site. And here’s how it looks…

https://codepotent.com/wp-admin/
https://codepotent.com/wp-login.php
https://codepoent.com/xmlrpc.php

1stepforward · February 27, 2021, 4:08pm

I agree with @Code_Potent’s approach. I’m a great believer in implementing as many server-side security measures as is reasonably practicable, thus preventing access to CP completely when necessary. The only caveat is that access to the file system is required, although this is not usually a problem for files such as .htaccess and .htpasswd.

And while plugins such as Wordfence and Shield offer useful extra protection and peace of mind, they should be considered a last line of defence imho.

system · September 7, 2021, 4:51pm

viktor · September 8, 2021, 3:22am

It is very unlikely that this would be implemented in the core for a few reasons:

XML-RPC will eventually move to a core plugin
Rate limiting is best handled by the servers
There is a brute force plugin available in the directory
No one likes captchas

This petition will auto-close in a few days. If anyone feels differently, please share your thoughts to keep the petition open.

wadestriebel · September 10, 2021, 11:34am