Page Hits

Don’t rely on a plugin to handle that. Try putting it captcha auto_prepend_file = /home/WP-LC/wp-lc.php from the /etc/php.ini file.

Also use .htaccess in your /wp-admin/ area and lock it to your IP address. Here’s a sample:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “NO Access”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from your.ip.address.here
</LIMIT>

GuruMoz
[sig moderated as per the Forum Rules]

@stu – I have no idea what @gurumoz is talking about as far as the auto_prepend code goes, as doing anything of that nature will not stop bots from trying to access the form. The bit about the .htaccess file is correct though. This version of the plugin does not prevent the actual attempts to log in, only from logging in successfully after x number of failed attempts.

If you are on a static IP and only need to access the site from 1 location then restricting to a single IP via .htaccess would work to stop the bots (and all bots, actually). If you need something more permissive, then you can add an additional layer of protection by adding an http auth to wp-login.php directly. I will incorporate that option into the next version of the bot.

Thanks very much for the info.

I’m using Nginx directives rather than .htaccess based on my setup.

The problem here is anything in the .conf files are going to affect all sites on this machine and I have admins & editors in different countries using IP addresses that will end up changing etc etc.

I think the best route for me is to limit connections like this that flood the login page.

cheers
stu

@stu – one solution I use to limit the bots where there are a lot of users is an http login that needs to be passed to get to the WordPress login, but I put the username and password into the title of the http auth, eg:

“WordPress spam protection: Enter USERNAME: human PASSWORD: password”

It doesn’t stop people from getting in, since they can make sense of the title, but bots won’t be configured to read that so will be stopped from hitting the login form, and thus not eat up any resources. I used that on one client’s server who had over 150 client sites on there, and while he did get some calls asking about it, in the end it greatly reduced the load the bots were causing.

-Michael

@michael – I see fundamentally how to do this using the ngx_http_auth_basic_module… but I don’t quite understand how to pass a title as you mentioned. Is this what you have done on a set up like mine (Nginx)?

Thanks
Stu

@stu, based on this page:

https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

It looks like with the example config:

location / {
    auth_basic           "closed site";
    auth_basic_user_file conf/htpasswd;
}

“closed site” would be the title of the auth login box.

-Michael

Ahh… doh !

Have a great weekend Michael.

Got auth_basic working… but now it wants to download the page.

@stu, while I have seen similar behavoir on Apache I am not really familiar with ngix. I would suggest asking on the either stackoverflow or the Unix Stack Exchange forum here for that one:

https://unix.stackexchange.com/

-Michael