Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

What keeps a Wordpress protected page from being brute forced

  1. Home
  2. Forum
  3. Hacking in general
  4. What keeps a Wordpress protected page from being brute forced

shiroslullaby's Avatar

shiroslullaby

Member
0 0

So I was looking at a friends wordpress site and noticed you can password protect a page.
If you do this, when you view it, you get a page that accepts a password without a username and seems to not limit your tries.

I set up my own site and enabled a password for a page.
https://shiroslullaby.wordpress.com/passwordprotected/

it seems to use wp-login.php?action=postpass and post_password="password"&Submit=Submit

When you put in the right password you view the content but wrong password seems to do a POST/redirect/GET to the original page?

I tried using the URL bar to enter my variables and got a page not found message. Did I type something wrong or is there something Im not seeing that prevents you from doing it this way and what would prevent someone from brute-forcing this?

Im not sure what you could use in the way of checking referrer, cookies etc to prevent someone from hammering at this until they got the right pass.
Hoping someone knows or is bored and wants to take a look at it.
Also if anyone knows a tool to check out thats good but I'd like to understand exactly how this is implemented becuase I feel like Im missing something.

EDIT It seems like Wordpress servers are running nginx so Im going to do some reading on that. (I have basic understanding but never actually implemented before)
I would be interested to see differences between using the wordpress site and if somone installed on their own poorly configured server.
Also you can download the worpress kit and look at the php files so Ill do that although my php progamming skills are pretty basic.