For Single Login Sites, I found using Firewalls to prevent Brute Force with Wplogin.php made site Highly Secure. But for the Membership Site how to Make My Wpadmin secure with CF firewalls.
((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains " /wp-admin/theme-editor.php")) and ip.geoip.country ne “IN”
BLocked outside India
I also have an own rule of Js Challenge for wp-login.php
When I use this rule for membership user are unable to login,
Can someone please suggest me best set of rules for multi User login Site?
WordPress login - block all requests to wp-login except the requests from the IP addresses from Country: Croatia
(http.request.uri.path contains "/wp-login.php" and ip.geoip.country ne "HR")
WordPress XMLRPC
(http.request.uri.path contains "/xmlrpc.php")
WordPress admin - this is known to block all and people having issues with this one
(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")
WordPress plugins
(http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "example.com" and not http.referer contains "www.example.com" and not cf.client.bot)
The issue you have if I understand, you want to block all requests to your wp-login, but in case of WooCommerce, the users should be allowed to login, but now your rule blocks them or challenge them and does not allow them to login as “normal users” and not as “bad guys trying to brute force”?
The only thing I can think of is making sure your users log in from the site itself, and not through a Bookmark. But if they forget, use JS-Challenge, This usually stops brute force attempts.
Moreover, for WooCommerce you can also define custom URL for users to login, but, who says it also cannot be brute-force attacked?
I recommend in that case that you install the plugin Login No Captcha reCAPTCHA – WordPress plugin | WordPress.org or some similar to protect against brute-force your wp-login either WooCommerce login, or you could use some other techniques with other security plugin.
As the description says:
Adds a Google No Captcha ReCaptcha checkbox to your WordPress and Woocommerce login, forgot password, and user registration pages. Denies access to automated scripts while making it easy on humans to log in by checking a box. As Google says, it is “Tough on bots, easy on humans.”
@sdayman Thanks a lot for sharing this. Can you explain in short, how exactly this will be helpful for Multi-user Based site?
not through bookmark as in?
