Graham

I removed that blacklist too, as it stops me from being able to create password protected folders.

Removing it has to be done sort of backwards in logic.

Untick the box and click on the “Add Host and Agent Blacklist” button.

The .htaccess file is rewritten and the list disappears. Go figure?

Jan,

I have contacted bit51, but their contact form specifically says they will not respond to support requests.

I have worded it as a security flaw notification and asked them to look at the forum thread concerning the “?loggedout=true” bug.

Hopefully they will do so.

No, I haven’t contacted them. I suppose I should, but I figured they must read this forum.

Maybe I shouldn’t assume so much and do that.

There is a major security flaw that you need to be aware of with BWPS too.

You can read about it and see how to fix it here.

Exactly. They are totally bypassing the login box.

But, as I said, BWPS still detects the failed login attempt and logs it, so it will trigger a lockout.

I have mine set for only 3 attempts, then a lockout. It stops them dead, even though they are trying to sneak in the back door.

P.S.

If you’re wondering who gives a rat’s whether your server thinks FrontPage extensions are installed or not – if it does, it prevents you from creating password protected folders.

Looking at my logs, hackers are using POST instead of GET to access the login function.

This means they are bypassing the login box and that’s why you are seeing failed login attempts.

However this is not a problem, because BWPS will still lock them out regardless. If an IP becomes a problem, simply add it to your ban list, but BWPS should do that anyway after the number of lockouts you have specified.

You don’t have to have this plugin enabled in the frontend for it to work in the backend.

Yes it does take up a lot of your dashboard space, but I have a site where multiple editors have their own pages. I need to know if they are online before I use the WP Optimize plugin, otherwise I would be deleting all their auto-saves.

I also found, as other people have, that it doesn’t show the admin as being online when first installed. However that starts working after you have logged in and out a few times.

I don’t get an error if I log straight back in again.

Yes I changed the slugs and generated a new key. I don’t want to fiddle with it any further, as it is doing its job just by changing the one variable.

If it works – don’t fix it I reckon. Besides, I’m not a programmer and the lines must have been put in there for a reason and I have no idea what it is. So I prefer to leave them there.

Thanks for your advice anyway, I appreciate it.

There must be another loophole.

As soon as I released a hacker from lockout he was able to attempt to login again, despite me having generated a new key.

I tried to login myself with the old key and couldn’t, so I don’t know how he is doing it.

Thank you so much for pointing this out. I was wondering how people were managing to access login when it is hidden by a scrambled key!

I changed the $key to $dir in line 700 and they now get a 404 error instead:

"RewriteRule ^.*$ " . $dir . "wp-login.php?" . $dir . " [R,L]" . PHP_EOL;

You then need to “unhide” the backend and “save”. Then re-hide it and “save” again, so the .htaccess file gets updated.

I also changed the permissions for common.php to 444 in the hope it won’t get overridden on an update. Don’t know how that will go though.

Don’t get me wrong, I have no connection with BWPS. I was just letting people know they’ve fixed the problem.

An update has been released that has fixed the problem.

You’re welcome.

Just put the domain name in Ban User Agents under the Ban tab. BWPS will add it to the .htaccess file on Save.