• Resolved kaitanium

    (@kaitanium)


    I have a tracker on my wordpress site tracking account login attempts.
    It has registered some 9000+ unsuccessful attempts to log into my site over the past 4 months. This number goes up daily. Any way to stop this? What is causing this? somewhat concerning!

    and this may or may not be related but im getting a ton of trackbacks and spam comments everyday also that i need to manually moderate

Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator James Huff

    (@macmanx)

    Bots mostly, they’re a part of online life, like comment and email spam.

    Bots will go around, hitting most login forms directly, trying popular username and password combinations, hoping to get in.

    As long as you have a great password, you don’t have to worry about them getting in.

    There are plugins to stop this, but I don’t recommend any of them, as that still puts load on your server. They generally won’t get in past these plugins, but the plugins still need to do the work of identifying and processing the hit.

    Instead, add this to your .htaccess access file:

    # Stop spam attack logins and comments
    <IfModule mod_rewrite.c>
    	RewriteEngine On
    	RewriteCond %{REQUEST_METHOD} POST
    	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    	RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
    	RewriteCond %{HTTP_USER_AGENT} ^$
    	RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
    </ifModule>

    Replace example.com with your site, and if you aren’t using Jetpack Comments, remove “|jetpack.wordpress.com”.

    This will not only block direct hits to your login and comment forms (which normal humans don’t do), it will also redirect them back to their “home” for an extra ounce of revenge. ??

    Via https://halfelf.org/2013/wp-login-protection-htaccess/

    There is a plugin that is excellent:

    Limit Login Atempts

    I suggest plugin over direct editing any of the files.

    Moderator James Huff

    (@macmanx)

    I suggest plugin over direct editing any of the files.

    Generally, I’d say the same, but not in the case of BruteForce protection. As mentioned above, “There are plugins to stop this, but I don’t recommend any of them, as that still puts load on your server. They generally won’t get in past these plugins, but the plugins still need to do the work of identifying and processing the hit.”

    Just to clarify, the .htaccess bit above will protect wp-login.php from direct hits, which is how most brute force attacks are carried out. It blocks them at the server level, rather than allowing them to reach a plugin, which will need to run via PHP, process the hit, and then query the MySQL database for any matches to existing blocks.

    Essentially, it’s the difference between a door that is already closed to certain traffic (the .htaccess rule), and a door that is always open with a single security guard who needs to check each person as they enter (the plugin).

    Thread Starter kaitanium

    (@kaitanium)

    yea im more inclined to add the htaccess code instead of a plugin. i dont want to rely on plugins if i can avoid it. already got too many running on the site. thanks for the heads up all!

    Moderator James Huff

    (@macmanx)

    You’re welcome!

    Thread Starter kaitanium

    (@kaitanium)

    i think its working. havent had an attack for 10 hours now…. crossing fingers! Im not good with code. I just copied and pasted the stuff into the htaccess and changed it to my url. There was some other piece of code in there that looked like this one. I hope i did it right.

    Moderator James Huff

    (@macmanx)

    If it’s working, and you have no trouble access your site in a variety of browsers, I’d say you did the right thing. ??

    Thread Starter kaitanium

    (@kaitanium)

    so on a similar note, any ways to stop trackback comments? im getting around 10 a day that i have to manually monitor and mark as spam

    Moderator James Huff

    (@macmanx)

    I’m not sure personally, Akismet should be catching most if you’re using that.

    A while back, I switched off Trackbacks and Pingbacks and have been blissfully Trackback and Pingback spam free, since it had been years since I received a legitimate Trackback or Pingback anyway. ??

    You can set the default to turn those off for future posts/pages by unchecking “Allow link notifications from other blogs (pingbacks and trackbacks)” at Settings -> Discussion in your blog’s Dashboard.

    For existing posts/pages, you’ll need to edit them and uncheck “Allow trackbacks and pingbacks on this page” in the Discussion box below the editor. If you don’t see the Discussion box below the editor, click the Screen Options tab near the top-right and check “Discussion.”

    If you have a ton of posts, https://www.ads-software.com/plugins/wp-disable-comments/ and https://www.ads-software.com/plugins/simple-trackback-disabler/ look promising, but backup first: https://codex.www.ads-software.com/WordPress_Backups

    I should of asked this earlier on…do you have akismet?

    already got too many running on the site

    No such thing as too many plugins. It’s the quality of each plugin.

    I have a site that the client has every possible social media account you can think of. that’s about 30 (twitter, facebook, instagram, vine, last.fm and so forth), they all show up on client’s website sidebar.

    Look at this link: https://www.ads-software.com/plugins/super-simple-anti-spam/ that deals with trackback spam.

    Doesn’t Akismet deal with trackback spam too?

    I am testing Antispam Bee “Easy and extremely productive spam-fighting plugin with many sophisticated solutions. Includes protection again trackback spam.”

    Not endorsing or not endorsing any of the above plugins.

    Thread Starter kaitanium

    (@kaitanium)

    oh shoot, i should have checked that first. when i remade my site, i forgot to redownload akismet. im a dummy haha.

    Thread Starter kaitanium

    (@kaitanium)

    looks like login attacks are back. after adding that htaccess code it stopped for awhile but i seem them back on my activity monitor now. any ideas? thanks!

    Bit of an old thread, but have you checked your .htaccess again? You might lose your settings if you visit Admin > Settings > Permalinks (URL Structure). It refreshes the .htaccess to my knowledge.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Brute force attacks’ is closed to new replies.