Brute force with empty fields on login

  • Looking at the log I see a lot of brute force used for DDOS our website where those fields are left empty.
    It is possible to add a rule that block the website if the someone try to login with empty fields?

Viewing 2 replies - 1 through 2 (of 2 total)

  • Patched the file class-itsec-brute-force.php and now is blocking all of those access.

    else if ( empty($username) ) {
				ITSEC_Log::add_notice( 'brute_force', 'auto-ban-empty-username', compact( 'details', 'user', 'username', 'SERVER' ) );

				$context = new Host_Context( 'brute_force_empty_user' );
				$context->set_login_username( 'empty' );
				$itsec_lockout->do_lockout( $context );
			}

    Looking at the log I see a lot of brute force used for DDOS our website where those fields are left empty.

    How exactly do those requests look like ? (eg POST/GET? Url?)

    To prevent any confusion, I’m not iThemes.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Brute force with empty fields on login’ is closed to new replies.