Use .htninja config file to block access by username

  • Resolved macmcmeans

    (@macmcmeans)


    3 months, 2 weeks ago

    Great product. Love the versatility of the WAF.

    I don’t want to introduce undue comparisons here, but with Wordfence I can block site access per specific usernames (through their GUI). Can I also do this with NWAF?

    Writing rules to block IPs in .htninja is child’s play, but can I block usernames? Can you set me on the right path, please?

    A simplified example would be:

    If ( $_SERVER[ "username_var" ] === 'joe_snuffy' ) {
    return 'BLOCK';
    }

    I’m using NinjaFirewall (WP+) 4.7.5, WP 6.8.2, PHP 8.3.23

    Thanks!

Viewing 1 replies (of 1 total)
  • Plugin Contributor bruandet

    (@bruandet)

    3 months, 2 weeks ago

    You could either:

    1. Block the user from logging in: If it is a POST payload to the /wp-login.php script, check the username in the POST['log'] variable. However, the user can also log in with their email address…
    2. Block a logged in user: If there’s a cookie such as wordpress_logged_in_ followed by 32 hexadecimal characters, check its value, which should start with the username. For instance, if the user is alice, then the cookie will look like:
      Name: wordpress_logged_in_ca230611d176de294d7ee574cb351e20
      Value: alice|1756719930|7oq8CYFa4x9tTwOGN1gwV0LazENJZhobFQAFvzCZZo1|2b2d715c0f254ca6e41fa8d235806d95e47fa20ce3a00d2ac10940797a8dc29b

    The login page is case insensitive:Alice or aliCE or alice will all work.
    But the name in the cookie is case sensitive. If the user is registered as Alice, then the cookie will be Alice|xxxx, not alice|xxxx .

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.