block username/author scans?

Resolved leejosepho
(@leejosepho)

12 years, 9 months ago
BulletProof Security and its suggested file permissions do a fine job for me, and I would like to hear what you have to say before I might add this bit of code, AITpro:
```
# BEGIN block author scans
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{QUERY_STRING} (author=\d+) [NC]
	RewriteRule .* - [F]
</IfModule>
# END block author scans
```
http://imperativeideas.com/wordpress-brute-force-protection-that-works/

The brute-force attacks of a few weeks ago have slowed considerably, but I still might add the above unless you know of any possible problem or complication.

Great plugin. Many thanks!

http://ww.wp.xz.cn/plugins/bulletproof-security/

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author AITpro
(@aitpro)

12 years, 9 months ago

That code looks good to me. I wonder if author= is always going to be a digit \d+ or if it can also be a word \w+. Will look into this.

RewriteCond %{QUERY_STRING} (author=\d+|author=\w+) [NC]
Plugin Author AITpro
(@aitpro)

12 years, 9 months ago
Ok yep this would always be a digit since what is being checked/returned is the author ID.

http://codex.ww.wp.xz.cn/Function_Reference/the_author_ID

Uses the author ID as a query link to all of that author’s posts.
```
<a href="/blog/index.php?author=<?php the_author_ID(); ?>">View all
posts by <?php the_author_nickname(); ?></a>
```
Thread Starter leejosepho
(@leejosepho)

12 years, 9 months ago

Thanks again. I knew you would either already have an answer or know how to sort things out and find one!

Plugin Author AITpro
(@aitpro)

12 years, 9 months ago

I want to point something important out though. I scanned the site you posted above and found the Author Username and confirmed that it is a valid login user account. This site is using some sort of Login Security that does not expose whether or not a correct or incorrect username has been entered by displaying a standard “incorrect user or password” message, BUT what does give this away is that WP ShakeIt shakes when entering a valid username and does nothing when an invalid username is used. In this case I got WP ShakeIt to shake after entering the author’s username. In other words, I know the Admin username for this site. 😉

Plugin Author AITpro
(@aitpro)

12 years, 9 months ago

Ideally you do not want to expose your username on the frontside of your site since this gives hackers 1 piece of the puzzle and then they can start working on cracking the password for the known user account. Most of the Brute Force cracking going on is using common Admin usernames (admin, administrator, etc) so this is not really a huge deal, but obviously something that should not be displayed/exposed on the frontside of a site just for good measure. 😉

Thread Starter leejosepho
(@leejosepho)

12 years, 9 months ago

I scanned the site you posted above…

Ideally you do not want to expose your username on the frontside…

Understood, and unless I have missed one somewhere, I definitely have all admin accounts displaying something other than their login names.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘block username/author scans?’ is closed to new replies.