w3all sessions keys Brute Force countermeasure
viewtopic.php?t=80Since 2.4.0> the option Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages
become Swap WordPress Register and Lost Password links to point to phpBB related pages.
The login in WordPress is required to be always available (even if it can be hidden by the normal site because you'll like to login users only in phpBB) because to unlock a blocked account due to a detected phpBB sessions keys bruteforce in WP, the user need to login into WordPress. The same user while/if logged in, is not affected. See more below how easy and secure the concept work.
This aspect, sometime very annoying when an user login in phpBB, and his ID result to be Bruteforced (even if it normally happen for session mismatching due to some other reason, and not due to a true bruteforce) in WP, will be resolved IF the integration will run together with the phpBB integration extension into phpBB, that will be updated to do the follow:
when an legit user login in phpBB, the phpBB code will check that the user's ID of this user do not exist into the WP bruteforce IDS array: if yes, will clean up the record so that when the user will return into WP, will not be forced to re-login again in WP.
2.7.5 will fix also:
* Fix: "fatal error due to the "wp_w3all_phpbb_login" hook not being found, happening when I'm logging in a user with the wp_signon() function ... ajax