All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WordPress Brute force log
Last night I was alerted to one of my WordPress sites being brute forced. After realizing this, I began to try and play with the bot and see what I could get it to do.
I tired redirects (didn't work).
I increased the size of wp-login.php to a very large file (did work).
However, finally after messing around with it enough I thought it might be cool to see what it was trying and how it was trying to get into my Wordpress.
Here is the following log: https://cdn.content-network.net/Mun/25_Aug_2014-WP-Brute-Force.txt
time | IP Address [port] : post contents
I also noticed with this bot a bit down into the log that it tried a different user based on my sites name.
Enjoy
Comments
Looks like you have a friend from Velsya
213.246.53.71 (webmail.velsya.com)
Moral of the story - don't use "admin" or the name of your website (munroenet) as a login.
Don't forget to move the default admin directory to somewhere other than wp-*
Usernames are not secret. Visit /?author=1 to see what I mean.
Indeed.
Install wordfence plugin, it will limit login attempts and hide the author names and couple more features.
Also, disable xmlrpc.
That should solve like 80% of the problems.
Any plugin to enable us to rename wp-login and actually having wp-login showing 404?
Use Better WP Security [ iThemes Security] to rename wp-admin and wp-login
Use mod_security to ban IPs that continuously accesses the wp-login.php page within a specified time.
Install Google Authenticator for WP
I use limit login attempts but will definitely look into Better WP Security to rename wp-* folders. Thanks for that.
https://wordpress.org/plugins/disable-author-pages/installation/
Just to clarify: that doesn't actually reveal the username, it reveals the "nice name"--similar to a post's slug. By default the nice name is the username so the end effect is the same; however, the nice name can be changed to anything.
It is true, however, that usernames are generally not a secret, but it doesn't hurt to block ?author=# requests. It won't stop a targeted attack, but it will hamper a bot's effectiveness.
@mun can you share how you got that data?
I'm guessing from the access log of the webserver
Even if you limit the login attempts, if you have xmlrpc enabled, they can still brute force you and limiting login won't work when a xmlrpc attack is happening.
In general if you're using a good hard to guess password and a username different than admin, it will be hard to crack your account. However, all those brute force attacks can load your server with stupid requests.
@jonnathon Even I am getting lot of login attempts, I have in logs lot of [% tools.ua.random() %]. because of these login attempts I am being locked out by the plugin "limit login attempts".
same I have it set for 4 incorrect then ban ip for 24hours.
@akz limit login attempts plugin does not work very well when your wordpress is behind a reverse proxy. I am checking why is it now.
This issue because of [% tools.ua.random() %]. started from past few days.
I havent had much issue with it, I have it left to "Direct" connection (behind CF) and it still catches a bunch of different IPS trying to brute my wordpress. I just wish there was a plugin that I could get to work in conjunction with limit login attempts to just straight ban the ip instead.
@akz you can use fail2ban plugin http://wordpress.org/plugins/wp-fail2ban/. Never used it though.
thanks ill give it a try, was just going to set the ban to 99999 hours lol.
Wordfence plugin blocks IPs, and limits login attempts as well..
Try iq block country https://wordpress.org/plugins/iq-block-country/ they use maxmind geo ip database.
You can set blocking to backend(wp-admin) only
I built a custom wp-login.php file.
That is always an option. Just make sure you have a backup when you next upgrade
I did, I actually took out the whole login mechanism and just replaced for a stand in to record the data.
Look at the URL to see the username. Also you can find it in the source code. author-username classes in divs around the blog posts. Username in wp is not designed to be a secret.
Again, that's the nice name, which defaults to the username. There's no way that I know of to change it in the UI (it is filterable via plugins), but jump into MySQL and change the nice name for a user and watch that text reflect the change. (At least in the URL, I've never bothered to check the classes, etc. WordPress adds but I'm going to guess it uses the the same value.)
But I still agree with you, usernames are not meant to be secret. That's why strong passwords are important.
You can try Login Lockdown https://wordpress.org/plugins/login-lockdown/