Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WordPress Brute force log
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WordPress Brute force log

MunMun Member

Last night I was alerted to one of my WordPress sites being brute forced. After realizing this, I began to try and play with the bot and see what I could get it to do.

I tired redirects (didn't work).

I increased the size of wp-login.php to a very large file (did work).

However, finally after messing around with it enough I thought it might be cool to see what it was trying and how it was trying to get into my Wordpress.

Here is the following log: https://cdn.content-network.net/Mun/25_Aug_2014-WP-Brute-Force.txt

time | IP Address [port] : post contents

I also noticed with this bot a bit down into the log that it tried a different user based on my sites name.

Enjoy

Thanked by 1Faizi

Comments

  • Looks like you have a friend from Velsya

    213.246.53.71 (webmail.velsya.com)

  • Moral of the story - don't use "admin" or the name of your website (munroenet) as a login.

  • ATHKATHK Member

    @nductiv said:
    Moral of the story - don't use "admin" or the name of your website (munroenet) as a login.

    Don't forget to move the default admin directory to somewhere other than wp-*

  • @nductiv said:
    Moral of the story - don't use "admin" or the name of your website (munroenet) as a login.

    Usernames are not secret. Visit /?author=1 to see what I mean.

    Thanked by 2vonlulzweg netomx
  • MunMun Member

    @Abdussamad said:

    Indeed.

  • Install wordfence plugin, it will limit login attempts and hide the author names and couple more features.

    Also, disable xmlrpc.

    That should solve like 80% of the problems.

  • Any plugin to enable us to rename wp-login and actually having wp-login showing 404?

  • SreeSree Member

    zhuanyi said: Any plugin to enable us to rename wp-login and actually having wp-login showing 404?

    Use Better WP Security [ iThemes Security] to rename wp-admin and wp-login

    Thanked by 1zhuanyi
  • Use mod_security to ban IPs that continuously accesses the wp-login.php page within a specified time.

  • Install Google Authenticator for WP

  • akzakz Member

    I use limit login attempts but will definitely look into Better WP Security to rename wp-* folders. Thanks for that.

  • @Abdussamad said:

    Usernames are not secret. Visit /?author=1 to see what I mean.

    https://wordpress.org/plugins/disable-author-pages/installation/

  • @Abdussamad said:
    Usernames are not secret. Visit /?author=1 to see what I mean.

    Just to clarify: that doesn't actually reveal the username, it reveals the "nice name"--similar to a post's slug. By default the nice name is the username so the end effect is the same; however, the nice name can be changed to anything.

    It is true, however, that usernames are generally not a secret, but it doesn't hurt to block ?author=# requests. It won't stop a targeted attack, but it will hamper a bot's effectiveness.

  • @mun can you share how you got that data?

  • HybridHybrid Member
    edited August 2014

    @praveenbhat said:
    mun can you share how you got that data?

    I'm guessing from the access log of the webserver

    @akz said:
    I use limit login attempts but will definitely look into Better WP Security to rename wp-* folders. Thanks for that.

    Even if you limit the login attempts, if you have xmlrpc enabled, they can still brute force you and limiting login won't work when a xmlrpc attack is happening.

    In general if you're using a good hard to guess password and a username different than admin, it will be hard to crack your account. However, all those brute force attacks can load your server with stupid requests.

  • @jonnathon Even I am getting lot of login attempts, I have in logs lot of [% tools.ua.random() %]. because of these login attempts I am being locked out by the plugin "limit login attempts".

  • akzakz Member

    @praveenbhat said:
    jonnathon Even I am getting lot of login attempts, I have in logs lot of [% tools.ua.random() %]. because of these login attempts I am being locked out by the plugin "limit login attempts".

    same I have it set for 4 incorrect then ban ip for 24hours.

  • @akz limit login attempts plugin does not work very well when your wordpress is behind a reverse proxy. I am checking why is it now.

    This issue because of [% tools.ua.random() %]. started from past few days.

  • akzakz Member
    edited August 2014

    @praveenbhat said:
    akz limit login attempts plugin does not work very well when your wordpress is behind a reverse proxy. I am checking why is it now.

    This issue because of [% tools.ua.random() %]. started from past few days.

    I havent had much issue with it, I have it left to "Direct" connection (behind CF) and it still catches a bunch of different IPS trying to brute my wordpress. I just wish there was a plugin that I could get to work in conjunction with limit login attempts to just straight ban the ip instead.

  • @akz you can use fail2ban plugin http://wordpress.org/plugins/wp-fail2ban/. Never used it though.

  • akzakz Member

    @praveenbhat said:
    akz you can use fail2ban plugin http://wordpress.org/plugins/wp-fail2ban/. Never used it though.

    thanks ill give it a try, was just going to set the ban to 99999 hours lol.

  • @akz said:
    I havent had much issue with it, I have it left to "Direct" connection (behind CF) and it still catches a bunch of different IPS trying to brute my wordpress. I just wish there was a plugin that I could get to work in conjunction with limit login attempts to just straight ban the ip instead.

    Wordfence plugin blocks IPs, and limits login attempts as well..

  • robohostrobohost Member
    edited August 2014

    Try iq block country https://wordpress.org/plugins/iq-block-country/ they use maxmind geo ip database.
    You can set blocking to backend(wp-admin) only

  • MunMun Member

    I built a custom wp-login.php file.

  • wychwych Member

    @Mun said:
    I built a custom wp-login.php file.

    That is always an option. Just make sure you have a backup when you next upgrade ;)

  • MunMun Member

    @wych said:
    That is always an option. Just make sure you have a backup when you next upgrade ;)

    I did, I actually took out the whole login mechanism and just replaced for a stand in to record the data.

  • @JustAMacUser said:
    It is true, however, that usernames are generally not a secret, but it doesn't hurt to block ?author=# requests. It won't stop a targeted attack, but it will hamper a bot's effectiveness.

    Look at the URL to see the username. Also you can find it in the source code. author-username classes in divs around the blog posts. Username in wp is not designed to be a secret.

  • JustAMacUserJustAMacUser Member
    edited August 2014

    @Abdussamad said:
    Look at the URL to see the username. Also you can find it in the source code. author-username classes in divs around the blog posts. Username in wp is not designed to be a secret.

    Again, that's the nice name, which defaults to the username. There's no way that I know of to change it in the UI (it is filterable via plugins), but jump into MySQL and change the nice name for a user and watch that text reflect the change. (At least in the URL, I've never bothered to check the classes, etc. WordPress adds but I'm going to guess it uses the the same value.)

    But I still agree with you, usernames are not meant to be secret. That's why strong passwords are important.

    Thanked by 1Abdussamad
Sign In or Register to comment.