The login button on my WooCommerce login page remains enabled before the Cloudflare Turnstile CAPTCHA is fully loaded. This allows users (or bots) to attempt logging in before verification. Ideally, the button should remain disabled until the CAPTCHA is completed.Issue 2: Brute Force Attacks on Contact Form
I have noticed an increase in brute force spam through my contact form. The issue seems to be that the form’s submit button is active even before the CAPTCHA has loaded. This allows bots to bypass validation and submit forms before the Turnstile verification is applied.Expected Behavior:
Steps to Reproduce:
Request:
Please check this issue and update the plugin so that all relevant buttons (login, submit, etc.) remain disabled until CAPTCHA verification is complete.
Thank you!
]]>I use the login module for the login buttons on my website and I’d also like to use WPS Hide Login to prevent brute force attacks on my website.
The problem that I’m having is when I use both plugins in conjunction, I get redirected to a 404 page — because Uncanny Owl Login Module redirects to the system defined login page (which is hidden because of this plug-in).
One of the developers shared: I think Uncanny Owl’s log-in looks for wp-login.php or wp-admin page whereas it should search for wp_login() function.
I have currently disabled the Hide Login plugin on my website because my users weren’t able to login, but I want to reactivate it to protect my website.
Can you please have a look?
Thank you,
Parm
]]>What exactly is this plugin for, if not blocking these attempts???
]]>If your plugin is disabled, then the redirect goes to deny access from the server, if your plugin is enabled, then from the main page of the site to which /xmlrpc.php is added, it redirects to the AMP main page
]]>All of us are suffering from brute force attacks, and I think that It’d be easy to implement some code in next WP versions to avoid them. (hide login and something against xmlrpc and directory traversal attacks).
Best regards,
Jordi
so the login page will be like this.
mypage.com/123456
So far so good. It is doing like that.
so everybody who knows the link can log in to the site. And everybody who doesn’t will be getting “Not available.” info on wp-admin or wp-login.
This is still usefull.
the problem is that some updates in the past, I don’t know which one it was, my login URL was disclosed to the world. After that update and several new updates, I couldn’t hide my new login name. Even If I change to a different one. And even if I use the cookie-based brute force settings.
On the User Login settings, I enabled the lockdown notification and after that, I got daily 100+ emails regarding lockdown messages.
As I mentioned above. Even I change the login name again.
I think one of your updates where disclosed the log-in page.
So, how do I fix this that my log-in page will not be disclosed anymore?
Hope I could explain my issue.
Thanks and Cheers.
PS: Im a huge fan of Tips and Tricks. I’m using your wp-emember plugin.
Best Regards
Fatma
I know plugins like Limit Login Attempts protect sites from brute force attacks on the admin side but does anyone know of anything that helps protect sites similarly for password protected pages?
Would love a quick fix. That said, I’m open to moving away from password protecting the page with a single password to requiring people to create an account to access information if that’s the only way to protect the information. In that case, would be interested in recommendations for how to do that.
Thanks for any insights you can offer!
]]>