Security Headers and Cookie-Based Brute Force

  • Resolved reeveskd

    (@reeveskd)


    5 years, 8 months ago

    I’ve recently begun improving my security headers, and it seems by raising the security bar, my cookie-based admin rename brute force protection “breaks” a bit. I can still see the login page in Incognito, but the “Login” button doesn’t do anything.

    If I try to log in outside of incognito, I’m redirected to my “get the heck outta here, ya daft hacker” page, even if the cookie is ?correct=1.

    I’m wondering if y’all have noticed if CSP in particular might be breaking something on this front? That seems to be the one that did it, when I enabled script and object ‘self’ protections.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    5 years, 8 months ago

    Hi,

    I can still see the login page in Incognito, but the “Login” button doesn’t do anything.

    Can you clarify the above further? I just want to make sure I understand your question and issue.

    Thank you

    Thread Starter reeveskd

    (@reeveskd)

    5 years, 8 months ago

    Howdy! Sorry for the delay, but in the course of working on something else I think I fixed it. I was simultaneously using the LoginPress plugin, and the combination of All-in-One, LoginPress, and CSP suppressing script-src to ‘self’ seems to have caused the trouble. Disabling LoginPress fixed the issue, so I think those two plugins weren’t playing nicely together.

    I’ve disabled and deleted LoginPress as the security is more important to me than the appearance, though as a future feature request, further customization of the login page would be awesome, including:

    – Checkbox to remove forgot password at first login
    – Checkbox to remove forgot password at failed login
    – Customize layout

    Great plugin! 😀

    Plugin Contributor mbrsolution

    (@mbrsolution)

    5 years, 8 months ago

    Hi, thank you for reporting back. I am glad you found a solution to your problem.

    – Checkbox to remove forgot password at failed login

    Hi are you talking about Lost your password? link? If you are, you can enable the following feature Display Generic Error Message, it will remove the Lost your password? link from the second attempt. It creates a generic message “ERROR: Invalid login credentials.” message.

    Thank you.

    • This reply was modified 5 years, 8 months ago by mbrsolution.
Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security Headers and Cookie-Based Brute Force’ is closed to new replies.