Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

User avatar
axew3
w3all User
w3all User
Posts: 1936
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 »

UPDATED FOR 2.0.0 RELEASE 15 Dec 2019

Is is strongly recommended that you use a strike login system to avoid brute force attacks into your WordPress login and integration plugin's sessions keys.
You can use plugins like All in One Security or Wordfence.
And (since 2.0.0) use WP_w3all option
Activate w3all sessions keys Brute Force countermeasure (see more below)


"Reason: WordPress do not come with a login strike system by default, so a brute force via cookie value to sessions keys of phpBB or WP password can be performed through WordPress login or plugin code. phpBB come instead with a native strike login system to prevent brute force."

To prevent WordPress password Brute Force you may need to follow something like this:

Using All In One WP Security as WordPress login strike system, for example you just need
install and so:

under WP Security -> User Login

Also leaving all others settings as are by default, and just activating (or setup values as needed to fire the event after specified number of failed logins, the time that the lockdown need to stay alive etc):

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


Save settings. This the only one thing you need to stay secure with WP_w3all and phpBB/WP.
And also into a standalone WP install.

In this example, on WP side, the login page implement the above Login Lockdown Feature (All In One WP Security) and
WP_w3all sessions keys Brute Force countermeasure option activated.

From 2.0.0 > add sessions keys Brute Force countermeasure

NOTE: if you do not let users login in phpBB side, the follow affect, but do not will cause the phpBB logout/login reset described here below, that may will result obvious following reading. You are strongly recommended to activate this option!

Activate w3all sessions keys Brute Force countermeasure
The option just do this:
if an attacker present a fake session cookie to WordPress via this plugin, then the event is logged, and the username of this attempted hacked account, stored. After the first time a fake session is passed, the plugin do the follow:
If the user present a phpBB cookie and isn't already logged in also in WordPress, he is logged out and redirected to WordPress login, and invited to login into WordPress side to resolve the issue.
Logged in username is not affected: the logged in user isn't affected if/while already logged in into both WP and phpBB (both cookies released, like when you login WordPress side or in iframe mode, then the plugin setup automatically both phpBB and WP cookies).
But if an user login in phpBB and in the while isn't also logged in WordPress side at the time his username as been added/stored as attacked in the black list, when will go to visits the WordPress side presenting phpBB cookies, will be logged out, and redirected/invited to re-login into WordPress to resolve/unlock the account issue. And this will be until a valid login in WordPress isn't executed successfully.
Substantially if you apply this option, the attacker will have 1 possibility to guess a string 20 until 32 random length.
With the firewall option you can choose how many times, and it control also presented IP etc.
This native wp_w3all option aim to be rude as is, leaving no chances to bad guys.

P.s: i would like to suggest to all cool people, to not overload WordPress activating multiple not useful features, thinking that for this you'll be more secure. If the code of plugins you use, the server configuration, and the cms are secure, maybe (maybe not) you do not need to much to pretend to stay secure, except the above. This is it on this online example.

falcon
User www
User www
Posts: 76
Joined: Tue Apr 05, 2016 6:56 pm

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by falcon »

Installed.
Thank you.

webinar
Posts: 1
Joined: Fri May 13, 2016 9:18 am

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by webinar »

axew3 wrote:HOW TO: Using All In One WP Security as WordPress login strike system.

I'm using this nice plugin at moment with only one feature modified/activated after plugin install:

under WP Security -> User Login

leaving all settings as are by default and activating:

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


....
Thanks mate. That is a very wonderful and essential information you have shared with us. I wonder why wordpress by default does not have native brute force support ? Is this one of the reason why we see so many compromised wordpress websites ?

User avatar
axew3
w3all User
w3all User
Posts: 1936
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 »

Yes, but you can note that WordPress set by default a very long password, hashed in a very complicated matter. It is +- secure by default, but without a login strike system, can happen that somebody with a script, will brute force the WP login, they just try different passwords passed several times, and they guess to get the good one before or later.

In true phpBB check against browser and something else, but the more important one (as the browser can be predictable) is the session_key.
To stay secure sleeping better, just solve in this way.

p.s i have a screenshot with a day with 129000 hits from hongkong in one night, but i can't find out right now ... and russia/ukraina ... very active guys but ... still they have not find out a way to get in and it is a fact, they have nothing best to do.
This was some day after wp_w3all has been released, on 1st feb 2016:
ScreenHunter_59 Apr. 02 16.40.jpg
ScreenHunter_59 Apr. 02 16.40.jpg (26.31 KiB) Viewed 4965 times

Post Reply