Add some basic brute force protection please

I would like to see some basic protection against brute force attacks on the wp-login.php and xmlrpc.php. At the moment, you will need to add plugins and/or disable access to xmlrpc.php using plugins. I hope to see ClassicPress with a basic protection like a captcha on the login page.


Read-only archive: Issues · ClassicPress/ClassicPress · GitHub

Author: Rudy Brinkman

Vote count: 48

Status: Declined

Tags:

  • request-add-feature

Comments

For Apache servers, it only takes a few lines in .htaccess to do what you’re asking. I’m sure nginx has counterpart directives if you’re on that server. These directives kick in before ClassicPress is loaded.

# A message for those denied access.
ErrorDocument 401 "Denied"

# To password-protect the login/admin.
<Files wp-login.php>
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/path/to/your/.htpasswd"
require valid-user
</Files>

# To prevent access to xmlrpc.php.
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

One and done. If you don’t get past the server’s user/pass prompt, ClassicPress isn’t even loaded. If you do pass the prompt, then you get the normal login page where you can then login as usual.

3 Likes

I agree with @anon71687268’s approach. I’m a great believer in implementing as many server-side security measures as is reasonably practicable, thus preventing access to CP completely when necessary. The only caveat is that access to the file system is required, although this is not usually a problem for files such as .htaccess and .htpasswd.

And while plugins such as Wordfence and Shield offer useful extra protection and peace of mind, they should be considered a last line of defence imho.

2 Likes

It is very unlikely that this would be implemented in the core for a few reasons:

  1. XML-RPC will eventually move to a core plugin
  2. Rate limiting is best handled by the servers
  3. There is a brute force plugin available in the directory
  4. No one likes captchas

This petition will auto-close in a few days. If anyone feels differently, please share your thoughts to keep the petition open.

3 Likes