Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

User avatar
axew3
w3all User
w3all User
Posts: 1950
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 »

Is is strongly recommended that you use a strike login system to avoid brute force attacks into your WordPress login and integration plugin's sessions keys.
You can use plugins like All in One Security or Wordfence.
And (since 2.0.0) use WP_w3all option
Activate w3all sessions keys Brute Force countermeasure


NOTE: DO NOT activate the option
Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages
in conjunction with Brute Force countermeasure option!

Problem: since anti Brute Force option works blocking execution of the code that retrieve data for the user in phpBB, (it affect a logged out user, that could be the legitimate one that try to login presenting correct cookie session's credentials after a login in phpBB), will be logged out, until a valid login isn't done into WordPress side, so activating the option
Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages in conjunction with Brute Force countermeasure will lead the user to not be able to unlock his account in WordPress if it will be required. The result into iframe mode, would be an immediate logout despite a correct login done into iframed phpBB. If not in iframe mode, you could login the user into phpBB, but when the user will come to visits the WordPress side and his username result to be on the blocked list, even presenting a valid session credential, will be logged out, because it will result a blocked user, that to unlock his WP login, will need to login in WP side.

How to resolve this, if i like to let users login/register and reset password only into phpBB side?
There are several possibilities.
The more easy is:

Set option in wp that do not allow user's registration
Remove links in wordpress that points to related login/registration pages
Manually create links that points to related phpBB pages/links
Install and setup as above mentioned a firewall for wordpress

This way, a coming logged out user, that result to be locked out, due to a brute force on his phpBB session keys, and that require to unlock with a login in wp side, will be correctly redirected to the wp login page.

To prevent WordPress password Brute Force you may need to follow something like this:

Using All In One WP Security as example, that act like WordPress login strike system:
install the plugin and so

under WP Security -> User Login

leaving all others settings as are by default, and just activating (setup values as needed to fire the event after specified number of failed logins (may 3 or 5), the time that the account lock need to stay alive etc):

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


Save settings. This the only one thing you need to stay secure with WP_w3all and phpBB/WP.
And also into a standalone WP install.

In this example, on WP side, the login page implement the above Login Lockdown Feature (All In One WP Security) and
WP_w3all sessions keys Brute Force countermeasure option activated.

Sessions keys Brute Force countermeasure (plugin versions 2.0 >)

NOTE: if you do not let users login in phpBB side, the follow affect, but do not will cause the phpBB logout/login reset described here below, that may will result obvious following reading. You are strongly recommended to activate this option

NOTE: activating this option, and forcing users to Login, Reset password or Register only in phpBB side, may lead to the impossibility for an user to reset the block of the bruteforce. DO NOT activate the option
Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages
in conjunction with Brute Force countermeasure


How w3all sessions keys Brute Force countermeasure works
The concept is very simple. The option just do this:
if an attacker present a fake session cookie to WordPress via this plugin, a fake login will be fired on the background, then the event is logged by this plugin, and also by any firewall plugin installed, and the username of this attempted hacked account, stored. After the first time a fake session is passed, the plugin do the follow:
If the WordPress logged out user presents a valid phpBB cookie due to a correct login in phpBB side, will be logged out and redirected to WordPress login, and invited to login into WordPress side to resolve the issue.
A logged in user is not affected: the logged in user isn't affected if/while logged in.

But if an user login in phpBB and his username as been added/stored as attacked in the black list, when will go to visits the WordPress side even presenting valid phpBB cookies, will be logged out, and redirected/invited to re-login into WordPress to resolve/unlock the account issue. And this will be until a valid login in WordPress isn't executed successfully.
Substantially if you apply this option, the attacker will have 1 possibility to guess a string 20 until 32 random length.
Via firewall options that you can activate, you can choose how many times an user can try to login before that the firewall's Login Lockdown will fire, check the presented IP etc. (which are firewall options you do not have to care of, just activate or not, it depend if you want to enable or not these firewall's features which you can activate or not as you like).
This option aim to be rude as is, leaving no chances to bad guys.

Hint for cool people: do not overload WordPress activating multiple not useful features, thinking that for this you'll be more secure. If the code of plugins you use, the server configuration, and the cms are secure, maybe (maybe not) you do not need to much to pretend to stay secure, except the above. This is it on this online example.

falcon
User www
User www
Posts: 76
Joined: Tue Apr 05, 2016 6:56 pm

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by falcon »

Installed.
Thank you.

webinar
Posts: 1
Joined: Fri May 13, 2016 9:18 am

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by webinar »

axew3 wrote:HOW TO: Using All In One WP Security as WordPress login strike system.

I'm using this nice plugin at moment with only one feature modified/activated after plugin install:

under WP Security -> User Login

leaving all settings as are by default and activating:

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


....
Thanks mate. That is a very wonderful and essential information you have shared with us. I wonder why wordpress by default does not have native brute force support ? Is this one of the reason why we see so many compromised wordpress websites ?

User avatar
axew3
w3all User
w3all User
Posts: 1950
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 »

Yes, but you can note that WordPress set by default a very long password, hashed in a very complicated matter. It is +- secure by default, but without a login strike system, can happen that somebody with a script, will brute force the WP login, they just try different passwords passed several times, and they guess to get the good one before or later.

Post Reply