Please add support for nginx.
You could block the attacking bot via php if .htaccess is not supported...

Bug:

Saving the plugin settings creates an invalid .htaccess file, resulting in a 500 server error for all future requests to the domain.

Steps to Reproduce:

1. Use a WordPress install that hasn't had the Brute Force Login Protection (BFLP) plugin installed.
2. Install the BFLP plugin
3. Use the WordPress plugin interface to activate BFLP
4. Observe that the .htaccesss has the following lines added:

# BEGIN Brute Force Login Protection
<FilesMatch "">
order deny,allow
</FilesMatch>
# END Brute Force Login Protection

5. in WordPress, go to Settings -> Brute Force Login Protection, and change the max number of login attempts (ex: to 12). Click Save.

Expected Behaviour:

The settings are updated correctly, and the plugin and site continues to function, with a max number of logins set to 12.

Actual Behaviour:

1. See a Server Error 500 page.

2. Observe that the Apache error log states:
   [alert] [client 192.168.56.1] /var/www/.htaccess: /var/www/.htaccess:47: <FilesMatch> was not closed., referer: http://ubuntu.dev/wordpress/wp-admin/options-general.php?page=brute-force-login-protection&settings-updated=true

3. Observe in .htaccess:

   # BEGIN Brute Force Login Protection
   <FilesMatch ".*\.(php|html?|css|js|jpe?g|png|gif)$">
       order deny,allow
   <FilesMatch "">
   </FilesMatch>
   # END Brute Force Login Protection
   

4. All further http requests result in a 500 server error.

Debugging I've performed:

1. Observed that within Htaccess->setFilesMatch, the results of getLines(false, true) contains a single line:

   <FilesMatch "">
   

2. Observed that when the .htaccess is updated after the first time, during the getHeader() call, $this-&gt;filesMatch equals '.*.(php|html?|css|js|jpe?g|png|gif)$' (the default)

3. Observed that when the plugin is activited, and htaccess->uncommentLines(); is called, htaccess->filesMatch is still empty.

Conclusion drawn:

The first time the .htaccess file is amended to add the BFLP rules, htaccess->setFilesMatch() has not been called, and so the FilesMatch directive is given an empty pattern, which causes subsequent updates to fail.

Suggested Fix:

1. In the activate() method, add a call to $this->setProtectedFiles();

I could create a pull request if you like, but it's only a one-line fix:

/**
* Called When the plugin is activated
* 
* @return boolean
*/
public function activate()
{
    $this->setHtaccessPath();
    /* add the following line: */
    $this->setProtectedFiles();
    $this->htaccess->uncommentLines();
}

Won't do a squat for self-hosted Wordpress many of which use Nginx for performance reasons.

Hi, this is maybe more like a request if possible.
I think adding a feature to choose how long IP are being blocked would be interesting instead of blocking them for ever. This can cause a very big htaccess file filled with many IP or a issue for someone legit trying to visit the website after some months.
Thanks!

I updated to Apache 2.4 and this plugin stopped working. It seems like it does not support the Apache 2.4 syntax.

https://httpd.apache.org/docs/2.2/howto/access.html
https://httpd.apache.org/docs/2.4/howto/access.html

Old: Deny from 10.252.46.165
New: Require not ip 10.252.46.165

Can you please add Apache 2.4 support?

Hi,

I've around 500 wordpress sites and while searching for solution for brute force attacks I've found your plugin and decided to try.

What I don't understand is it looks like all the blocked IP's are my own IP's.

On each wordpress site, on the "white list" section my IP looks different and it show IP's like:
aaa.bbb.ccc.103
aaa.bbb.ccc.104
etc.

These are shown as my own IP's on the "white list" section of the plugin.

The problem is: when I look to the blocked IP's, they look very similar to mine, in the format of:

aaa.bbb.ccc.186
aaa.bbb.ccc.194

Note: And I realized today that I've been blocked on a few of my sites. So what's the problem here? Is my own server tries to login to my own sites? Or what can be the reason for that?