bbpress and Cookie Based Brute Force

Hi, did you change the URL in the following option Re-direct URL?

no i didn`t change it , it was pointed to https://127.0.0.1 .
i believe that the Cookie Based Brute Force redirect all login attempt that was happen from outside the secret page (eg. wp-admin – bbpress login ) .
in bbpress it check the login if the login happened from the secret page then it`s ok , if not then it redirect the login attempt to the https://127.0.0.1 .
what can i do to make successful login from bbpress login page to the forum while the Cookie Based Brute Force is activated ???

Hi, I don’t use bbPress myself. The plugin developers will investigate further your issue.

Thank you

Thank You @mbrsolution please let`s me know .

This will require some more thinking on my part to come up with a solution because as far as I can see, bbpress uses the standard WordPress core “wp-login.php” to process its login events.
Therefore if you are using the cookie based brute force or rename login feature, it will be a problem whenever anyone tries to login to bbpress because aiowps plugin will hide the wp-login.php file.
I will keep you posted.

• This reply was modified 7 years, 5 months ago by wpsolutions.

@wpsolutions Thank you for your response , I appreciate it
i suggest considering the following solution
the Cookie Based Brute Force prevent unknown login attempt
so the login attempt of the subscriber of the bbpress sound like a known attempt
we want to make the subscriber login to the forum from bbpress login , and we dose`t want him access the wp-admin

the following code From do so :

https://codex.bbpress.org/layout-and-functionality-examples-you-can-use/#25-restricting-user-access-to-the-wordpress-backend

* Redirect back to homepage and not allow access to
 * WP backend for Subscribers.
 */
function rkk_redirect_admin(){
    if ( ! current_user_can( 'edit_posts' ) ){
        wp_redirect( site_url() );
        exit;
    }
}
add_action( 'admin_init', 'rkk_redirect_admin' );

if there is way to make the Cookie Based Brute Force accept the subscriber as known login attempt and exclude it by checking the login if it is from subscriber then passing it and redirect the subscriber to the forum if the login attempt happened from the bbpress login page and also prevent him from accessing the wp-admin , if it`s not a subscriber ( unknown user ) then we block him .

• This reply was modified 7 years, 5 months ago by stephencottontail.
• This reply was modified 7 years, 5 months ago by siddigsami.
• This reply was modified 7 years, 5 months ago by siddigsami.

sorry, duplicated replay ??

Hi @siddigsami,
Thanks for the suggestion.
The main problem in this case is that the cookie based feature is blocking people at the Apache level, ie, via .htaccess. Therefore we cannot use the solution you kindly offered together with the cookie brute force feature because the user will be blocked before any PHP code is executed.

• This reply was modified 7 years, 5 months ago by wpsolutions.

Actually maybe I spoke too soon. I re-read your reply and it could be possible if we can find a way to differentiate bbpress logins from normal WordPress logins….maybe….I still have to think about it a little bit more ??

The main issue is that if we let bbpress members get past the cookie brute force apache blocking, they will inherently have access to the normal WordPress backend login page and we don’t want anyone except WP admins and users to have access to that page because then they will have the opportunity to attempt brute force attacks – which defeats the purpose of this feature.

Hi @wpsolutions
any solution yet?

The main issue is that if we let bbpress members get past the cookie brute force apache blocking, they will inherently have access to the normal WordPress backend login page and we don’t want anyone except WP admins and users to have access to that page because then they will have the opportunity to attempt brute force attacks – which defeats the purpose of this feature.

as i said we can block access to the wp-admin from subscriber by this code

* Redirect back to homepage and not allow access to
 * WP backend for Subscribers.
 */
function rkk_redirect_admin(){
    if ( ! current_user_can( 'edit_posts' ) ){
        wp_redirect( site_url() );
        exit;
    }
}
add_action( 'admin_init', 'rkk_redirect_admin' );

there`s a role in the plugin that block login if the user name was not in the database
then it possible to check user name on database
if so , i think there`s way to check if the user had “Subscriber” Role then we will exclude hem from cookie based brute force , and we can make hem login directly in bbpress , ofcourse after preventing hem from accessing wp-admin by the above code

• This reply was modified 7 years, 5 months ago by siddigsami.

Hi @siddigsami,
Thanks for the suggestion.
The main problem in this case is that the cookie based feature is blocking people at the Apache level, ie, via .htaccess. Therefore we cannot use the solution you kindly offered together with the cookie brute force feature because the user will be blocked before any PHP code is executed.

sorry , i just got you ??

• This reply was modified 7 years, 4 months ago by siddigsami.