Attacks seem to increase WHEN I am signed into WordPress

  • Resolved jp5633

    (@jp5633)


    1 year, 3 months ago

    With Wordfence installed my site has been hack free. When I sign in I sign into my website I use the Cpanel which brings me to Softaculous where I click sign in. I always check the users list first and there is a very very strong password for WordPress attached to my user name.

    I then check the plugins for updates and install those if there are any. Then I click on WordFence and “Blocking”. There are usually blocked attempts listed but they are ALWAYS ones that occurred Since I signed in. It is as if the hackers KNOW when I am signed in.

    Then I do a SCAN which almost always results in all check marks (nothing found). Anything found in the past has been UPDATES not hacks. Then I go back to Blocking and new ones appear as if the hackers KNOW I am signed in. If I click on my user name it always says “You are only logged in at this location” and there are no other users in the list except my HOST support team which never accesses the site unless I ask them to.

    How do hackers know when I am signed in?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfmark

    (@wfmark)

    Hi @jp5633, Thank you for reaching out.

    When logged in to the site, could you please navigate to Wordfence> Tools> Live Traffic and confirm whether you see any Traffic entries of the blocked login attempts on this page?

    Brute force login attacks are one of the most common attacks that we see and are normal. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence.

    Wordfence does all of the important blocking for you automatically so you don’t have to, but if you wish to make your brute force or rate limiting rules a little stricter so that they can’t retry as frequently, for example reducing login failures to 3 or 5 instead of 20, you might find the following links useful to learn some more:

    https://www.wordfence.com/help/firewall/brute-force/ 

    https://www.wordfence.com/help/firewall/rate-limiting/ 

    Thanks,

    Mark

    Thread Starter jp5633

    (@jp5633)

    Hi Mark,

    Thanks for the reply. Under live traffic I see the entries. They vary from those attempts ending in wp-login.php to xmlrpc.php. Almost all are Human. Some are Blocked by Wordfence Security Network and some are Blocked for Manual Block by Administrator. The later are from the fact that all of the new URLs listed under Blocking I make the block Permanent.

    I made the login failure ‘3’ a few months ago, but thanks for the suggestion.

    Several times attackers tried Password Recovery Method to get in, but were blocked (mostly from using “admin”, but if they try that with the correct User name (which many of them appear to know) can they get a new password and get in?

    Thanks,

    John

    Thread Starter jp5633

    (@jp5633)

    By the way Mark,

    I sign in using C-Panel/Softaculous/Worpress Manager which is automatic. I don’t need the very lengthy password which is blocking everyone else.

    John

    Plugin Support wfmark

    (@wfmark)

    Hi @jp5633, Thank you for getting back to us.

    Brute force login attacks are one of the most common attacks that we see and is normal. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence. 

     I understand  it’s alarming to see these attacks, but there’s nothing more for you to do since Wordfence is already blocking them and you have Brute Force Protection measures in place.

    Thanks,

    Mark.

    Thread Starter jp5633

    (@jp5633)

    Thanks for helping me with this Mark. I really appreciate it.

    I do trust that Wordfence is blocking brute force attacks. But I am pretty sure hackers know when I sign in and I would like to fix whatever means they are using. Here is how I know.

    The first thing I do when I sign in is go to Wordfence/Blocking. I have dozens and dozens of permanent blocks against URL’s that have attacked.

    But it is the NEW URL’s that concern me. New ones ONLY appear when I log in. If I don’t log in for two days there are no NEW URLs that have been flagged by Wordfence Blocking. for those two days. But When I sign in there are Always new ones that appear with time stamps that match when I signed in.

    Do you see my concern? They know when I sign in and I would like to know where to look to find the flaw.

    Regards,

    John

    • This reply was modified 1 year, 2 months ago by jp5633.
    Plugin Support wfmark

    (@wfmark)

    @jp5633,

    One possible cause is that? you have an antivirus/antimalware program on your computer which is trying to check URLs on your site, or that the email host you use is checking URLs that appear in notifications you receive by email, like the alerts that Wordfence sends when an admin logs in.?

    Could you please  share  a screenshot of the blocks you’re seeing on the Blocking page and on Live Traffic when this happens, so I can take a look and  see if anything else stands out? 

    Be sure to  enable the “Expand All Results” option at the top right of the Live Traffic page, so we can see all the details. Obscure any sensitive information from the screenshots or , send them  to [email protected] and add your Forum username to the subject. 

    For password recovery, even if the attackers  guess the correct username, the site should only send a password reset link to the admin’s own email address, so attackers shouldn’t be able to use it.

    Thanks,

    Mark.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Attacks seem to increase WHEN I am signed into WordPress’ is closed to new replies.