Remove Wordpress attack protection Captcha

gerbils shared this question 5 years ago
Answered

Seems to have been added by Xilo, is there any way to remove it? It's problematic for Wordpress visitors.


Thanks

Comments (15)

photo
2

At the moment, this can't be removed as it is there for the protection of customers and the servers in general.


Unfortunately, there are a number of known bots that are going around and hacking Wordpress sites along with that, they cause very high loads on servers.


A way around this is to rename the admin directory where possible and protection will not apply.

photo
1

Thanks Matt. The problem is when you have password protected posts within wordpress, if a client enters his/her password to view those posts they get the Captcha popup.

photo
1

You may find this works, which should resolve the issue.


http://www.dalih.net/170/3-steps-to-change-the-url-wp-admin-folder-tested-with-wordpress-3-2-1/


This would then rewrite the code too, so the links should never go to the page with the extra security.

photo
1

Perfect Matt - great thanks!

photo
2

Unfortunately Matt this doesn't effect the issue. Isn't the problem with wp-login.php? That's the file that gets accessed when viewers try to read private posts.

photo
1

I understand the reasoning and I'm grateful that you're alert to these sort of security issues. But this login panel is so intrusive. There must be a more sensible way of handling this. I don't know of any other hosts enforcing this, so what are they doing to protect their servers?


The login panel isn't too bad where the only people needing to login are site administrators, but for any sort of membership based site this is horrible.


p.s. I assume you want people to continue related discussion from previous questions, but if not let me know and I'll spin this into a new question.

photo
1

There isn't without locking sites down to static IPs. We reviewed every possible option and still do review any new options that we can use - but there are none that are as flexible and effective as this.


IP-based locks on this file would mean that connecting clients would need a static IP and it completely locks down any access to third parties.


A captcha based solution allows people to manually gain access once through their entire session and even save the details in their browser.

photo
1

But then what are other hosts doing if not this?


Can you confirm, is the captcha only applied to the wp-login.php file or the wp-admin directory too? I'm just considering options for moving the location of these.

photo
1

Other hosts are doing this. We actually used this solution from a 40+ page thread on a web hosts forum.


It was the most elegant solution of many that didn't require users to then add IPs to .htaccess and so forth.


It is against the login file only.

photo
1

I used http://wordpress.org/plugins/rename-wp-login/ and it works fine and unlike renaming wp-admin it doesn't break password protected pages & posts.

photo
1

Yes I remember seeing that thread when this all started, but none of the other hosts I've encountered are doing this and I can't believe that over a year later this is still the best solution available. Synthesis seem very confident, what are they doing that's so clever - http://websynthesis.com/wp-bruce-force-protection/


Yes I was just looking at Rename WP Login. That looks promising.

photo
1

They're a managed wordpress host. That is their bread and butter. We are a host of content, it could be wordpress, or any other CMS.


As I said, we continue to look for better solutions but things like mod_security rules and even signature detection within our Cisco ASAs were all attempted and were worked around by the hackers. We changed the ruleset many times but their attack vector changed several times an hour and there was no other viable solution.


Once this stops, we'll remove it as we said but for now, it will remain.

photo
1

That's precisely why they're a good example, since they've obviously had more resources to invest in investigating a WP specific issue.


Anyway, for me at least, renaming wp-login.php is a likely solution.

photo
1

As well as being awkward for subscribers it makes logging in with iOS impossible.

photo
1

Renaming wp-login.php is still the best solution for this but also for long-term security of your sites.