How to give the same error message when the wrong password or wrong username is used?
You can use login_errors filter for changing the custom error message Please have a look at Change login error messages
security
Troll the hackers by redirecting them
I understand this isn’t exactly what you’re looking for but these hackers are most likely bots and redirecting them won’t matter at all. I suppose you could modify the below code if you reallllly wanted to but this will redirect anybody looking for an author back to your homepage. RewriteCond %{REQUEST_URI} ^/$ RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) … Read more
Session Cookie security questions
The functions that generate, validate and clear auth cookies are all pluggable (meaning you can write your own versions of them). Just note that some of them may need to return something specific (like the user ID). wp_generate_auth_cookie() (generates your cookies) wp_set_auth_cookie (actually sets the cookies) wp_validate_auth_cookie() (validates your cookies) wp_parse_auth_cookie (parses an auth cookie, … Read more
Should I use wp_nonce_field on my contact form?
You should not. Nonce is used to protect against cross site request forgery attacks (CSRF) in which another aite tries to trick you into submitting a form to your site which will perform some hostile action. Nonces are unique value that can be generated only by a specific site at a specific time and therefor … Read more
Why isn’t the login page rate limited by default?
Brute force attacks seem to the be most common vulnerability on WP installs Brute force attacks are not WordPress vulnerability. They are password vulnerability, if bad passwords are used. They are common, but if they are “the most common” in occurrences and, more importantly, breaches is questionable. rate limiting ought to be relatively easy to … Read more
WordPress Brute Force Prevention
Rather than blacklist logins, why not whitelist your own IP (example 12.345.67.891 below; or a range) for wp-login.php and in wp-admin for logins and administration? (No plugin needed). A whitelist will block everyone else except you from login. See http://httpd.apache.org/docs/2.4/howto/access.html in the .htaccess in the wp-admin folder: Options All -Indexes order deny,allow deny from all … Read more
How can I force a specific password?
You can use this code in your functions.php to restrict users below admin level from changing their passwords: if ( is_admin() ) { add_action( ‘init’, ‘disable_password_fields’, 10 ); } function disable_password_fields() { if ( ! current_user_can( ‘activate_plugins’ ) ) { $show_password_fields = add_filter( ‘show_password_fields’, ‘__return_false’ ); } } The admin should probably register each user … Read more
WordPress login security
No, the requests will still happen, even if it results in a 404. If you keep logging, you’ll also notice attempts to log in to Drupal, Joomla, and other major CMS, including server exploits for IIS Apache and Nginx This is because they’re automated opportunistic requests, they’re not actually looking at your site, they’re only … Read more
.htaccess password protection bypassed
What web server you use? If use nginx, you can try this to secure your wp-admin : location ~ ^/(wp-login\.php$) { root /var/www/wordpress/; allow 127.0.0.1; allow Your-ip-address; allow Your-second-ip-address; deny all; Other way to secure your wp-admin from brute force attacks is to add this lines to your nginx.conf : Limit Request limit_req_status 403; limit_req_zone … Read more
Use Google authentication for pages within a website [closed]
If you can use google authentication to connect as admin, then accessing published site pages are no different than connecting to a different user role. Make a new user role (say subscriber) and make your pages accessible to that particular role based users only. Make sure they don’t have access to anything else than these … Read more