You will find your Server / Website IP Address and Public IP / Your Computer IP Address on the BPS System Info page.
If you have used the IP based Brute Force Login Protection code and you are unable to login to your website then your ISP is changing your entire IP address subnet dynamically and you will not be able to use this code and should instead use the Server Protocol based Brute Force Login Protection code. See the “If you are unable to login to your website after using the IP based Brute Force Login Protection code” help section below if you are unable to login to your site.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
參考網站:http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
For BPS and BPS Pro folks who DO want to allow other folks to be able to login/register to their website
Note For BPS Pro folks: If you are looking for the Brute Force Login Protection code to either check for in your root .htaccess file or add to your website. That code is displayed below. If the code already exists in your root .htaccess file and it is working then copy that code from your root .htaccess file to BPS Pro Custom Code by following the instructions below.
This will block/Forbid around 98% of automated Brute Force Login hacking attempts since typically Server Protocol HTTP/1.0 is used in these automated Brute Force Login Attacks. This code has a 95%/5% success fail ratio meaning that this code works on 95% of websites/Servers and does not work on 5% of websites/Servers. See the IMPORTANT NOTE below.
IMPORTANT NOTE: If you see a 403 error on your login page when trying to login or log out of your website then you cannot use this code on your Server/Website and will need to delete this code to correct the 403 error on login and logout.
# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]
How to add/use this Brute Force Login Protection Code on your website
If you have BPS or BPS Pro installed this custom .htaccess code goes in this Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: . After adding this custom code click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.
To reverse the process (remove/delete the code from your root .htaccess file) you would delete the code from the CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION: text box, click the Save Root Custom Code button, go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.
If you are unable to login to your website after using the IP based Brute Force Login Protection code
FTP to your website and download your root .htaccess file and edit it in Notepad or Notepad++ (do NOT edit .htaccess files with Word or WordPad – they will corrupt the .htaccess file). Replace the IP based Brute Force Login Protection code with the Server Protocol based Brute Force Login Protection code and upload your root .htaccess file back to your website. Or you can use your Web Host Control Panel/cPanel File Manager instead to edit your root .htaccess file.
And yes you can do a combination of both IP based and Server Protocol based blocking. This code means this: If the login page is requested/accessed and the Server Protocol is HTTP 1.0 or the IP address is not your IP address then Forbid access to the Login page.
***This code is ONLY for folks who do not want anyone else to be able to login or register to their websites.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol or IP
# All legitimate humans and bots should be using Server Protocol HTTP/1.1
RewriteCond %{REQUEST_URI} ^/wp-login\.php$
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.$
RewriteRule ^(.*)$ - [F,L]
Another method to allow your Login page to be only accessible to you…
…would be to add this function to your Theme’s functions.php file. In this example you would need to enter: http://www.example.com/wp-login.php?mySecretString=foobar to gain access to your login page. You would of course change “mySecretString=foobar” to whatever you want for your secret Query String.
// Simple Query String Login page protection
function example_simple_query_string_protection_for_login_page() {
$QS = '?mySecretString=foobar';
$theRequest = 'http://' . $_SERVER['SERVER_NAME'] . '/' . 'wp-login.php' . '?'. $_SERVER['QUERY_STRING'];
// these are for testing
// echo $theRequest . '<br>';
// echo site_url('/wp-login.php').$QS.'<br>';
if ( site_url('/wp-login.php').$QS == $theRequest ) {
echo 'Query string matches';
} else {
header( 'Location: http://' . $_SERVER['SERVER_NAME'] . '/' );
}
}
add_action('login_head', 'example_simple_query_string_protection_for_login_page');
CloudFlare, Proxy, CDN, VPN
As of BPS .49.3 and BPS Pro 7.5 the System Info page will display X-Forwarded-For IP addresses:
If you are using CloudFlare on your website then you will see Proxy X-Forwarded-For IP Address: instead of Public ISP IP / Your Computer IP Address: displayed to you. This additional check is for troubleshooting issues with CloudFlare, CDN, Proxy or VPN.
WordPress Forum Topic: http://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout?replies=21
CloudFlare uses a Proxy so you will need to whitelist the X-Forwarded-For client IP address assigned by CloudFlare.
Wiki info on X-Forwarded-For
http://en.wikipedia.org/wiki/X-Forwarded-For
The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2
If I understand this information correctly in the Wiki link above, as long as your are using the “client” IP address then that is what should only be whitelisted. The 2nd, 3rd proxy IP addresses should not be whitelisted, but this may or may not be true – pending testing.
Notes:
You can use SetEnvIf X-FORWARDED-FOR inside or outside of the FilesMatch section of code.
You would want to use Order Allow,Deny and NOT Order Deny,Allow
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order
Allow,Deny
First, all Allow directives are evaluated. At least one must match, or the request is rejected.
Next, all Deny directives are evaluated. If any matches, the request is rejected.
Last, any requests which do not match an Allow or a Deny directive are denied by default.
Deny,Allow
First, all Deny directives are evaluated. If any match, the request is denied unless
it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist <FilesMatch "^(wp-login\.php)"> Order Allow,Deny Allow from env=whitelist # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from xxx.xxx.xxx.xxx # Add additional IP Addresses if necessary or delete these lines of code if not needed/used Allow from xxx.xxx.xxx.xxx Allow from xxx.xxx.xxx.xxx </FilesMatch>
Hits: 6
才剛換成這個就被Brute Force ..哪有這麼厲害