BruteForce Attacks in WP Login during Away-Mode
-
Hi,
I had ithemes installed on my pages since 2016, but lately get a lof of BruteForce Attacks DURING AWAY MODE.
As I thought maybe something went wrong with an update or so, I deactivated, deleted and reinstalled and activated that plugin on one of my websites – as it looks to no avail.
But still the BruteForce Attack get access to the Log in Area. As I am unable to reach it when the site is in away mode, I wonder how the bruteforce attacks get through.
On neither page can anyone create an account, nor are there any logins or links to the login area on the page (as often found in the widget-area from blogs).
For one page I have even reduced the “open” time to 30 minutes of a day.
ALSO: I seem to remember that in 2016/2017 when I was logged in before away-mode set in, I wasn’t kicked out. Now I am. Really dislike that. What is the reasoning behind that?
-
ha, who would’ve thought that it was a bug to not be logged out…. i really liked it as I tend to not have fixed hours when I work – which is a nightmare with away-mode kicking me out.
Just so I understand the login-thing you are saying: Even if there is no “open” access to any log-in area, they still can reach a point where they can try to log in?
(edit) Thank you for your help.
@mmoore247
Perhaps an extra setting for the Away Mode module that allows you to enable/disable being logged out during away hours would be nice…@northernannie
Anyway Away Mode falls in the category security by obscurity. It doesn’t really strengthen the security of your site.
At most it will only slow down attackers …WordPress includes several APIs that provide endpoints to authenticate (XML-RPC, REST API etc). So restricting access to the login page won’t stop all brute force attacks.
- The topic ‘BruteForce Attacks in WP Login during Away-Mode’ is closed to new replies.
