Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

User avatar
axew3
w3all User
w3all User
Posts: 1298
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 » Fri Apr 29, 2016 2:27 pm

Is is strongly recommended that you use a strike login system to avoid brute force attacks into your WordPress login.
You can use plugins like Wordfence or All in One Security or just any Google Captcha plugin (may choose one that work fine), that will require to the user to answer to some question, before to allow a request.

"Reason: WordPress do not come with a login strike system by default, so a brute force via cookie value to sessions keys of phpBB or WP password can be performed through WordPress wp-login.php. phpBB come instead with a native strike login system to prevent brute force."

Using All In One WP Security as WordPress login strike system, for example you just need:
https://wordpress.org/plugins/all-in-on ... -firewall/

install and so:

under WP Security -> User Login

leaving all settings as are by default and activating:

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


Save settings. This the only one thing you need to stay secure with WP_w3all and phpBB/WP.
And also into a standalone WP install.

Reason: WordPress do not come with a login strike system by default, so a brute force to sessions keys of phpBB or WP password can be performed through WordPress wp-login.php. phpBB come instead with a native strike login system to prevent brute force.


P.s: i would like to suggest to all cool people, to not overload WordPress activating multiple not useful features, thinking that for this you'll be more secure. If the code of plugins you use, the server configuration, and the cms are secure, maybe (maybe not!) you do not need to much to pretend to stay secure, except the above (this is it on this online example).

falcon
User www
User www
Posts: 76
Joined: Tue Apr 05, 2016 6:56 pm

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by falcon » Fri Apr 29, 2016 5:34 pm

Installed.
Thank you.

webinar
Posts: 1
Joined: Fri May 13, 2016 9:18 am

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by webinar » Fri May 13, 2016 10:15 am

axew3 wrote:HOW TO: Using All In One WP Security as WordPress login strike system.

I'm using this nice plugin at moment with only one feature modified/activated after plugin install:

under WP Security -> User Login

leaving all settings as are by default and activating:

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


....
Thanks mate. That is a very wonderful and essential information you have shared with us. I wonder why wordpress by default does not have native brute force support ? Is this one of the reason why we see so many compromised wordpress websites ?

User avatar
axew3
w3all User
w3all User
Posts: 1298
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 » Fri May 13, 2016 6:02 pm

Yes, but you can note that WordPress set by default a very long password, hashed in a very complicated matter. It is +- secure by default as system, but without a login strike system, can happen that somebody with a script, will brute force the WP login, they just try different passwords passed several times, and they guess to get the good one before or later. Has often was happening here at axew3.com.

In true phpBB check against browser and something else, but the more important one (as the browser can be predictable) is the session_key.
To stay secure sleeping well, we can just solve in this way.

p.s i have a screenshot with a day with 129000 hits from hongkong in one night, but i can't find out right now ... and russia/ukraina ... very active guys but ... still they have not find out a way to get in ... it is a fact, they have nothing best to do.
This was some day after wp_w3all has been released, on 1st feb 2016:
ScreenHunter_59 Apr. 02 16.40.jpg
ScreenHunter_59 Apr. 02 16.40.jpg (26.43 KiB) Viewed 327 times

Post Reply