How to Brute Force WordPress (and prevent it with AWS WAF) 

Your IP address is not something that can just be discovered nor is it something that is static (unchangable) unless you ask your ISP (provider) and pay a small monthly fee. Normally your ISP carrier grade NAT (in IPv4) your address into a pool of addresses that is basically shared among customers and from there you get a temporiraly address (highly dumbed down). For me to get your IP address you would need to 1) give it to me, 2) visit a malicious website, 3) or some other device that will record your IP and share it, it is not something i can just figure unless we somehow are connected like through a game, or some other media. If you really want your IP address to be undiscoverable, you would need a VPN service (i would not trust any such service unless i set it up myself) to mask your address. So you would connect from your home, to your VPN and your VPN would do all your online surfing for you and feed you back the information, never revealing your real IP but your VPN service would know.

You could do like Apply for their pin code, 1 failure = ok, 2 failures = ok, 3 failures = 2 min ban, 4 failures = 4 min ban and so on. They basically ban you two to the power of your attempts (2^LoginAttempts) after X failed attempts. And you could apply this to a specific page such as wp-login, the "problem" is that if the attacker has many IPs at their disposal they can change IP everytime they get the first ban and try 3 times per IP, but it would SEVERELY cripple them to a point of they would probably give up because it is not worth it. Effort vs reward.

No shit sherlock, you can't expect assistance from somebody if you won't help others.

BTW it has to do with aws security and he gives you the basics for it

Yeah, at least when your password isnt sth like 1234. Loi's WAF rule is even better tho

Long short, you need to whitelist it, using another rule, just as he did in this video

@@mikesmithie3259 okay thank you you, what about cloudflair?

Users are always the weak link and most users dont use a password manager, so they will never save the 18 randomized character passwords.

"just" easier said than done

hulk (golang one) not python one. I have my own dos tool better than hulk. but can't put repo here as youtube deletes the comment with url

@@codewithraiju1424 send your number

@@meenatv4481 I won't send my number.. you can use hulk dos tool it is very good.. use the golang script and not python script python one is very old and not that effective

@@codewithraiju1424 ok Bro

script kiddie lol

1000%

$ halfway there in a single step

Just use social engineering

​@@TheMessanger just use both.

:3 Cool, it's the very famous nmap. I've not used it before. It's featured in several movies, even in the Matrix series, with Reloaded. A continuously updated app, over 25 years old now. Hehe.

Yeah, he used an unsafe wp version for his demonstration