內容簡介
Faison Zutavern、Jon Valcq、以及Emma Edgar,來自Orion Group LLC搭載全新外掛 Project Force Field,為WordPress帶來卓越的暴力攻擊保護機制。透過記錄失敗嘗試登入次數,並利用Apache的 mod_rewrite 模型,Project Force Field 防止你的網站及伺服器被暴力攻擊拖垮。
特別感謝Chris Aykroid提供的外掛橫幅 😀
貢獻
如果您想為 Project Force Field 貢獻或派生它,我們目前在 Bitbucket 有一個版本庫。您可以在此找到。
功能!
發出403錯誤碼,防止任何人拜訪 /wp-login.php – 所有我們能看到的暴力攻擊都會對 /wp-login.php 發起攻擊。透過回覆403錯誤碼,你的WordPress檔案不會被載入,資料庫也不會被查詢,攻擊者也無法猜測你的密碼。
更改預設登入網址 – 當所謂的駭客被你的新 Force Field 阻擋住時,你可以很輕易地登入 /wp-admin/。這時,WordPress 會重新導向你到新的正確登入網址。
偵測暴力攻擊後自動更改登入網址 – 當在一分鐘內發生太多的登入失敗時,Project Force Field 會切換極性!你先前使用的新登入網址,現在會回應403錯誤碼,而大型隨機數字則會成為你的新登入網址!過了一段時間後,登入將會恢復正常。
無限極性切換 – 如果暴力攻擊者變聰明,寫了一個程式去檢查新的登入網址,Project Force Field 仍然會持續偵測攻擊,並更改登入網址。
自行定義登入網址 – 透過在 wp-config.php 中定義 OGFF_LOGIN,你可以設定幾乎任何你想要的登入網址。
阻止WordPress用戶列舉漏洞 – 許多暴力攻擊使用WordPress用戶列舉漏洞來輕易地查找有效的用戶名稱。我們防止這種情況發生,並回應403以保護您的網站和伺服器。
未來功能!
多站支援 – 目前尚未實現,這相當遺憾,因此我們將在任何事情之前修復它!
調整登入失敗門檻 – 目前,Project Force Field 假設當一分鐘內有30個登入失敗時,就會被視為暴力攻擊正在進行中。這對於大型網站可能不理想,因此我們想讓您將該次數增加到300。
增加選用的電子郵件通知暴力攻擊事件 – 如果你希望知道你的網站正在受到攻擊,我們也想讓你知道。在即將推出的版本中,我們將允許您新增電子郵件地址,以便在有暴力攻擊事件及其他重要相關事件時通知您。
增加最後手段.htaccess密碼鎖定 – 如果某個所謂的駭客寫了一個程式,持續學習新的登入網址,Project Force Field 就沒有什麼用了。在接下來的版本中,我們將檢查登入網址的更改次數,確定暴力攻擊是否聰明,並使用.htaccess密碼鎖定登入。
外掛標籤
開發者團隊
原文外掛簡介
Faison Zutavern, Jon Valcq, and Emma Edgar, from Orion Group LLC, bring superior Brute Force Attack protection to WordPress with their new plugin, Project Force Field. By tracking failed login attempts and taking advantage of Apache’s mod_rewrite module, Project Force Field stops Brute Force Attacks from bogging down your sites and servers.
Special thanks to Chris Aykroid for the plugin banner 😀
Contributing
If you would like to contribute or fork Project Force Field, we currently have a repo on Bitbucket. You can find it here
Features!
Sends a 403 error code to anyone visiting /wp-login.php – All brute force attacks we’ve seen target /wp-login.php. By responding with a 403 error, your WordPress files aren’t loaded, the Database isn’t queried, and the attacker doesn’t figure out your password.
Changes the default login url – While a so-called hacker is being deflected by your new Force Field, you will log in with ease at /wp-admin/. When you do that, WordPress will redirect you to the new, proper login url.
Automatically changes the login when a Brute Force Attack is detected – When too many login failures occur within a minute, Project Force Field shifts polarity! The new login you previously used now responds with a 403 error, and a large random number is now used as your login url! After some time, the login will return back to normal.
Unlimited polarity shifts – If a Brute Force Attacker gets smart and writes a script to check for the new login url, Project Force Field will continue to detect the attack and change the login.
Define the login yourself – By defining OGFF_LOGIN in your wp-config.php, you can set the login to be almost anything you want.
Stops WordPress User Enumeration Exploit – Many brute force attacks use the WordPress User Enumeration exploit to easily figure out valid usernames. We stop that to protect your site, and respond with a 403 to save your server.
Future Features!
Multisite Support – It’s not there yet, that’s pretty lame, so I’m going to fix that before anything else!
Adjust the login failure threshold – Currently, Project Force Field assumes a brute force is underway when there have been 30 login failures within a minute. This might not be ideal for large websites, so we want to let you increase that amount to 300 if needed.
Add optional email notification for brute force events – If you want to know when your website is under attack, we want to let you know. In a near future version, we will let you add email addresses to be notified of brute force attacks, and any other important related events that we add in the future.
Add last resort .htaccess password lockdown – If a so-called hacker writes a script that continues to learn the new login url, Project Force Field won’t help much. In an upcoming version, we will check to see how many times the login url was changed, determine if the Brute Force Attack is smart, and lockdown the login with an .htaccess password.
