Donate to us via Paypal!
Don't judge the unknown - Grindordie
Saturday, June 12, 2021
 Need Help?
Members Online
Total Online: 106
Guests Online: 104
Members Online: 2

Registered Members: 137251
Newest Member: arthur34c5
Latest Articles

View Thread

HellBound Hackers | Computer General | Hacking in general


What keeps a Wordpress protected page from being brute forced


Posts: 11
Joined: 25.01.15
Hacker Level 2
Posted on 12-02-15 05:57
So I was looking at a friends wordpress site and noticed you can password protect a page.
If you do this, when you view it, you get a page that accepts a password without a username and seems to not limit your tries.

I set up my own site and enabled a password for a page.

it seems to use wp-login.php?action=postpass

When you put in the right password you view the content but wrong password seems to do a POST/redirect/GET to the original page?

I tried using the URL bar to enter my variables and got a page not found message.
Did I type something wrong or is there something Im not seeing that prevents you from doing it this way and what would prevent someone from brute-forcing this?

Im not sure what you could use in the way of checking referrer, cookies etc to prevent someone from hammering at this until they got the right pass.
Hoping someone knows or is bored and wants to take a look at it.
Also if anyone knows a tool to check out thats good but I'd like to understand exactly how this is implemented becuase I feel like Im missing something.

It seems like Wordpress servers are running nginx so Im going to do some reading on that. (I have basic understanding but never actually implemented before)
I would be interested to see differences between using the wordpress site and if somone installed on their own poorly configured server.
Also you can download the worpress kit and look at the php files so Ill do that although my php progamming skills are pretty basic.

I'm not insane
No, my life's a gameshow
I shot for the stars and missed
So now I aim low

Edited by shiroslullaby on 12-02-15 19:41