Answer the question
In order to leave comments, you need to log in
Is it possible to restrict WP account login without removing the ability to comment on a blog?
Inspired by the question How to protect a wordpress site from hacking?
There I was advised to create a separate question.
The point is the following. As I understand it, the surest way to secure a blog on the VP from hacking is to limit the login to the account, leaving only 2-3 devices (1. how to do this, by the way?).
At the same time, I would like to leave the opportunity for users to comment on the blog. 2. Is it possible and how?
Answer the question
In order to leave comments, you need to log in
I see several options
1. Let non-registered users comment.
Then they won’t have to register, it’s enough to put Google recaptcha on the comment form (or its invisible captcha)
And close the wp-login.php page at the server password level (htpasswd file)
2. If users need to log in to comment, then there’s no way if you limit it - everyone's devices are different - it means that millions of potential commentators cannot be filtered only by the 2nd and 3rd devices.
Then it's enough to install a plugin like limit login attempt - if you don't know how to limit this at the server level. The load will, of course, be greater - because. IPs will be calculated by the VP, not by the server.
But this is the best solution.
I give 3 attempts for one ip and block for an hour. And the second zalet block for 2 days. Heroes after a month are registered permanently in htaccess.
But! There is no need to be paranoidly afraid - "here the user with the role of subscriber will get into my admin panel ..."
Well, he will get there - but his rights are so low that he cannot do anything wrong. Here is a table of rights and privileges https://wp-kama.ru/function/current_user_can
Although there are simple snippets that allow you not to let the wp-admin area with a certain role
And let them comment on it.
The WP-Recall plugin restricts access by role to the admin panel. Under it there is also a snippet to disable the reg VP and use the reg from the plugin. And the wp-login.php file can be closed altogether. Or an addition that adds captchas there and changes the path to wp-login.php - together with the disabled wp-login.php file - this is good protection. Users can comment and write posts from the frontend.
I don’t see any problems for the VP at all - well, bots are hammering out picking up the password and login of the admin. Even knowing the admin login, if the admin has a unique password for this site (and not one password for 10 sites) and it is at least 12 characters long, contains numbers, case letters and special characters, it will take bots 34 thousand years to pick it up https ://howsecureismypassword.net/
Think about it
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question