One of the ways that WP Engine determines what's a valid login attempt — and what's a script based brute force attack — is by requiring a query argument (of wpe-login
) on all login attempts. The value must match the name of the install in order to be considered valid.
The install name is defined with PWP_NAME
in wp-config.php
on all WP Engine installs.
An example of a valid URL to submit your login query to is:
http://domain.com/wp-login.php?wpe-login=PWP_NAME
If you'd like to detect if you're on a WP Engine install, it's best if you check for the existence of the wpe_site
function.
<?php
if( function_exists( 'wpe_site' ) ) {
// This site is hosted on WP Engine.
}
Hopefully this gives you what you need to make your login related code WP Engine compatible!
This can also be applied to a regular WordPress installation.
wp_die()
if parameter does not match the defined constant.