Please Explain This Wordpress Block Logic
Posted: 30 Sep 2021, 18:51
I've got a user that keeps getting blocked for a custom LFD rule to block 3 consecutive Worpress failed logins within 3600 seconds. But they swear they are not getting failed logins. The rule is the widely published rule:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed WordPress login from",$1,"wordpress","5","80,443","3600");
}
HTTP code 200 is an OK response. So then wouldn't entering the address https://www.somedomain.com/wp-login.php and reloading it 2 times within 3600 seconds trigger the block? So wouldn't this rule get triggered if a user logged in, successfully, 3 times within 3600 seconds as they would go to the login page 3 times and generate a 200 response each time the login page is viewed!?
Could it be that the user is using /wp-login.php URL to login 3 times within 3600 minutes instead of /wp-admin ?
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed WordPress login from",$1,"wordpress","5","80,443","3600");
}
HTTP code 200 is an OK response. So then wouldn't entering the address https://www.somedomain.com/wp-login.php and reloading it 2 times within 3600 seconds trigger the block? So wouldn't this rule get triggered if a user logged in, successfully, 3 times within 3600 seconds as they would go to the login page 3 times and generate a 200 response each time the login page is viewed!?
Could it be that the user is using /wp-login.php URL to login 3 times within 3600 minutes instead of /wp-admin ?