security – Basic authentication .htaccess on wp-login, but allow disconnection of woocommerce

I'm using a basic permission htaccess on my WC site to prevent hackers from accessing wp-login, which works well … except with woocommerce if a logged-in client wants to log out of his account – in clicking on the logout link – it is greeted by the basic Auth popup asking them to "authorize" (generated by our htaccess).

On the Woocommerce dashboard:
Hello MrTest (not MrTest? Logout) << By clicking Logout, the Basic Authentication dialog box appears. How can we avoid this?

Here is the content of our htaccess:

AuthName "Allowed"
AuthType Basic
AuthUserFile /home/user/.pswrdfile
requires a valid user

In the WooCommerce settings, the logout endpoint is: client-logout and the logout link URL displays: example.com/shop/my-account/customer-logout/?_wpnonce=2e343434.

So, how to change the htaccess to allow "wp-login.php? Action = logout" to go through basic authentication?

I have tried that but it does not work; I have an Apache server with the latest versions.

 RewriteEngine On
 RewriteCond %{REQUEST_URI} ^/wp-login.php$
 RewriteCond %{QUERY_STRING} ^action=logout
 RewriteRule ^ - (E=noauth)

 

    Options -Indexes +FollowSymLinks +MultiViews
    AuthName "Protected page. If you are not allowed to be here, leave the page"
    AuthType Basic
    AuthUserFile "/etc/apache2/htaccess/myhtaccess"
    Require valid-user

    Order Deny,Allow
    Deny from all
    Allow from env=noauth

    Satisfy any

 

Imunify360 and wp-login attacks | Talk Web Hosting

It seems that lately, Imunify360 has been very bad at blocking wp-login.php attacks. A little earlier, their gray list blocked them pretty well, but now it seems like a lot of robots are getting through. They have a rule of modsecurity "Remote Control WordPress Bruteforce RBL", but that really does not matter.

Has anyone else experienced the same thing? I think our old configuration with CSF and Comodo WAF was more effective at blocking these attacks.

It would be best to redirect all users to Capcha by accessing the wp-login.php page.

cPanel ModSecurity Rule for wp-login attack

Can any one help me to give the Modsecurity rule for wp connection attack?

I need to block 3 wrong attempts for the next 30 minutes

I'm using the COMODO ModSecurity Apache rule set


SecAction phase: 1, nolog, pass, initcol: ip =% {REMOTE_ADDR}, initcol: user =% {REMOTE_ADDR}, id: 1234123457

User SecRule: bf_block "@gt 0" "refuse, status: 401, log, msg:" IP address blocked for 5 minutes, more than 15 login attempts in 3 minutes. & # 39 ;, Id: 1234123458 "
SecRule RESPONSE_STATUS "^ 302" "phase: 5, t: none, nolog, pass, setvar: ip.bf_counter = 0, id: 1234123459"
SecRule RESPONSE_STATUS "^ 200" "phase: 5, string, t: none, nolog, pass, setvar: ip.bf_counter = + 1, deprecatevar: ip.bf_counter = 1/180, id: 1234123460"
Ip: bf_counter "@gt 3" "t: none, setvar: user.bf_block = 1, expirevar: user.bf_block = 6000, setvar: ip.bf_counter = 0"


SecAction Phase: 1, nolog, pass, initcol: ip =% {REMOTE_ADDR}, initcol: user =% {REMOTE_ADDR}, id: 1234123458

User SecRule: bf_block "@gt 0" "refuse, status: 401, log, msg:" IP address blocked for 5 minutes, more than 15 login attempts in 3 minutes. & # 39 ;, Id: 1234123458 "
SecRule RESPONSE_STATUS "^ 302" "phase: 5, t: none, nolog, pass, setvar: ip.bf_counter = 0, id: 1234123459"
SecRule RESPONSE_STATUS "^ 200" "phase: 5, string, t: none, nolog, pass, setvar: ip.bf_counter = + 1, deprecatevar: ip.bf_counter = 1/180, id: 1234123460"
Ip: bf_counter "@gt 2" "t: none, setvar: user.bf_block = 1, expirevar: user.bf_block = 6000, setvar: ip.bf_counter = 0"

I've had this rule on Google when searching and I can see a lot of results list .. Is this rule correct?
gt 3 "means that after 3 connection failures, it will block for 6000 seconds, right?

stop redirection on / wp-login

I've installed a modified version of WordPress with "Duplicator"
I think it's a problem I think it's in the redirect
How can I stop it?
http: //mysite/wp-login.php redirect_to = http% 3A% 2F% 2F45.63.40.242% 2Fwp admin 2Fadmin.php%%% 3Fpage 3Dduplicator-tools 26tab%%% 3Ddiagnostics 26section 3Dinfo%%% 26package? 3D20190714_d985d988d986d8b2d8a7_cccf8e77745a3e337539190714180116_archive.zip% 3D0% 26safe_mode

htaccess – Nginx subdirectory: wordpress wp-login redirects to 404 not found

server {
location / {
try_files $ uri $ uri / @ extensionless-php;
}
location / shop {
try_files $ uri $ uri / /shop/index.php?q=$uri&$args /shop/index.php?q=$uri&$args;
}
location ~  .php $ {
if ($ request_uri ~ (. *) . php $)
{
returns $ 301 1;
}
try_files $ uri = 404;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix: /run/php/php7.0-fpm.sock;

}
location @ extensionless-php {
rewrite ^ (. *) $ $ 1.php last;
}

The code above is used in the nginx server file. I have WordPress installed in a subdirectory. When i try to connect to my dashboad using a username and password via the wp-login.php page, it redirects to 404 not found. The other pages of the wordpress blog work well. I can not access only my dashboard. Please help me solve the problem. Thank you in advance.