Another scenario: All worked perfectly for completely locking out everything but me using BPSP login protection and the above for post data attack, leaving only the # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON lines open.
I use the Opera browser to test a not-me IP as it comes in from its own separate ip (in the Security log file it noted the ip was “HTTP_X_FORWARDED_FOR: 50.zz.y.xx” – my real ip address).
Using Opera http:// all was fine with all domains (got correct 403 errors). BUT when I tried a domain that I only allow https:// secure ssl, Opera put through the wp-login page as normal – no 403. ? When I resubmitted without the “s” – it immediately 403’d. All the custom code is identical between sites (except for Allow from domain/server differences).
When I acid tested w/a Tor browser entry on the https:// it did go to a 403 immediately.
A fluke? Leave all as is? (real bad guys won’t be using my ip ever.)