Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

User avatar
axew3
w3all User
w3all User
Posts: 2883
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 »

The session Bruteforce Countermeasure explained

The option
w3all sessions keys Brute Force countermeasure on plugin admin
is set to YES by default, and if it is not for a well and known specified reason, it should be EVER set to YES to apply a secure integration.
Since 2.4.0> the option Swap WordPress default Login, Register and Lost Password links to point to phpBB related pages
become Swap WordPress Register and Lost Password links to point to phpBB related pages.
The login in WordPress is required to be always available (even if it can be hidden by the normal site because you'll like to login users only in phpBB) because to unlock a blocked account due to a detected phpBB sessions keys bruteforce in WP, the user need to login into WordPress (or to unlock the account using the login in phpBB, the phpBB WP extension need to be installed in phpBB and the related option activated into the extension ACP). The same legit logged in user is not affected. See more below how easy and secure the concept work.

For any default WordPress installation it is strongly recommended that you use a strike login system to avoid brute force attacks into WordPress login.
You can use plugins like All in One Security or Wordfence.

To prevent WordPress password bruteforce and stay secure, and to have a perfect mix with WP_w3all bruteforce countermeasure, that by himself alone, just think to avoid bruteforces into phpBB session keys, and do NOT prevent the possible default WordPress login password bruteforce: so for your default WP (as you may know) you need to follow something like this (for example)

Using All In One WP Security as example, that act like WordPress login strike system:
install the plugin and so

under WP Security -> User Login

leaving all others settings as are by default, and just activating (setup values as needed to fire the event after specified number of failed logins (may 3 or 5), the time that the account lock need to stay alive etc):

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email
(maybe)

Save settings. This the only one thing you need to stay secure into a standalone WP install.

In this example, on WP side, the login page implement the above Login Lockdown Feature (All In One WP Security) and
WP_w3all sessions keys Brute Force countermeasure option activated.

Sessions keys Brute Force countermeasure

How w3all sessions keys Brute Force countermeasure works
The concept is very simple. The option just do this:
if an attacker present a fake phpBB session cookie to WordPress, and the value do not match any valid session in phpBB, the code record the attempted user id, and (also), fire a fake login on the background: due to this then the event is logged by any firewall plugin installed (if there is one installed) that will log the WP login error event for this user.
After the first time a fake session is passed, the plugin do the follow:
The same WP user, if/while already logged in, will be not affected.
But to re-login correctly and unlock his account once logged out due to normal session expiration or a click into the logout button, will be asked to login into WordPress (or to unlock the account using the login in phpBB, the phpBB WP extension need to be installed in phpBB and the related option activated into the extension ACP).
If the user presents a valid phpBB cookie due to a correct login in phpBB side, will be logged out and redirected to WordPress login, and invited to login into WordPress side to resolve the issue (or to unlock the account using the login in phpBB, the phpBB WP extension need to be installed in phpBB and the related option activated into the extension ACP).
The logged in user is not affected.
That is.

So again: if an user login in phpBB and his username as been added/stored as attacked in the black list, when will go to visits the WordPress side, even presenting valid phpBB cookie due to a legit login in phpBB, will be logged out in WP, and redirected/invited to re-login into WordPress to resolve/unlock the account issue . And this will be until a valid login in WordPress isn't executed successfully (or to unlock the account using the login in phpBB, the phpBB WP extension need to be installed in phpBB and the related option activated into the extension ACP). The plugin code simply refuse to check for the phpBB session existence, until a legit login into WordPress do not happen so that the user's ID will be removed from the bruteforce black ids list.

Substantially with this option active, the attacker will have 1 possibility to guess a random string of 20 and until 32 chars random length.

Firewall options that you can activate to prevent Wp logins bruteforce, are separate thing by what the plugin bruteforce countermeasure do (only prevent phpBB session keys bruteforce), but will works together due to the effect of fake login fired in the background if a presented phpBB session is not found: you can choose how many times an user can try to login before that the firewall's Login Lockdown will fire, check the presented IP etc. (which are firewall options you do not have to care of, but just activate or not, it depend if you want to enable or not these firewall's features but...).
This option aim to be rude as is, leaving no chances to bad guys.

But:
Hint for cool people: do not overload WordPress activating multiple not useful features, thinking that for this you'll be more secure. If the code of plugins you use, the server configuration, and the cms are secure, maybe you do not need to much to pretend to stay secure, except the above. Just activate the minimum as explained. You'll be secure. This is it on this online example since ever.
falcon
User www
User www
Posts: 76
Joined: Tue Apr 05, 2016 6:56 pm

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by falcon »

Installed.
Thank you.
webinar
Posts: 1
Joined: Fri May 13, 2016 9:18 am

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by webinar »

axew3 wrote:HOW TO: Using All In One WP Security as WordPress login strike system.

I'm using this nice plugin at moment with only one feature modified/activated after plugin install:

under WP Security -> User Login

leaving all settings as are by default and activating:

Enable Login Lockdown Feature
Allow Unlock Requests
Notify By Email


....
Thanks mate. That is a very wonderful and essential information you have shared with us. I wonder why wordpress by default does not have native brute force support ? Is this one of the reason why we see so many compromised wordpress websites ?
User avatar
axew3
w3all User
w3all User
Posts: 2883
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Securing WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by axew3 »

Yes, but you can note that WordPress set by default a very long password, hashed in a very complicated matter. It is +- secure by default, but without a login strike system, can happen that somebody with a script, will brute force the WP login, they just try different passwords passed several times, and they guess to get the good one before or later.
User avatar
DjPorkchop73
User www
User www
Posts: 80
Joined: Thu Aug 20, 2020 6:45 pm
Location: Egyptian Valley of Illinois

Re: Securing WordPress and WP_w3all phpBB WordPress integration: HOW TO and WHY

Post by DjPorkchop73 »

Thanks for sharing this info. I have had it stop a few brute for attempts already for my website.You made it real easy to follow along and understand.

Many thanks!
If I could I would. If I don't, it's because I am lazy!

"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley
Post Reply