Bots able to bypass custom login slug

First security measure admin of any site must take is to have a clean system. If your system is compromised, then no plugin or feature can protect your site back end url. Use licensed version antivirus in your system and clean malware or any keyloggers working in your system.

If you are sure about that, then provide HTTP authentication (an extra layer of protection) to your backend.

Make sure your theme or any plugin feature not revealing your admin user ID. Don’t let others find your user info through user enumeration.

Don’t provide your login slug info to robots.txt, instead you can block rogues using .htaccess or other methods.

Hope this info helps.

@*B.V.Ramanarao*

1) Yes, All our computers and network are safe and clean, Scanned multiple times per day and always up to date so this is not the issue.

2) Yes tryed password protecting the admin as recommended by the hosting company, How ever i showed then the user authentication can be bypassed due to the mechanic in place, Not going into details here.

3) Done and dusted the only way you can get the url is if you know it, and many setting to change and hide admin user from been found out, Even post user from search results is removed.

4) Done.

The 404 error detection does not seem to be working, I created a test app to test it out my self it can try many url combination until it finds it however its only set to try url combinations and check for 404’s without any resistance from iThemes security 404 detection.

So like i said many thanks in advance for the above issues to be solved thank you

Hi iThemes Security Team

The time between attempts has become more frequent
https://prntscr.com/4kihti

Changing the admin login slug has no affect it appears they may have found a way around the custom login slug and are targeting wp-login.php directly.

The worst part is the ip’s the bots using are probably from peoples computers that are compromised and infected so the sites most likely is banning regular people.

Still having the 403 (forbidden)error on our software updater disabling and re-enabling iThemes security now has no effect, However disabling iThemes security our software updater works fine we have tried everything short of deleting the iThemes security entries from our database (Will as a last resort).

Do i have to buy pro to get support for this plugin ? or do you provide free support for the free version.

Ok now im kinda puzzled.

I enabled away mode because the bot was making attempts every 60 seconds trying brute force with user name admin.

now i tried the admin url and it does not show, so why am i still receiving site lockout notification from failed logins with admin as the user name, Is the away mode working in wordpress 4.0.

Why is this bot able to bypass the custom login slug.

any help here would be nice.

I am rather surprised i haven’t gotten a response because all the times i have had issues with backup buddy you guys were straight on it im glad to have brought that plugin, but iThemes security at this stage im am not going to buy pro especially if the free is not working or getting support and next to no documentation for troubleshooting these type issues.

Please help, Many thanks in advanced.

I have the same problem. In the last 24 hours I’ve started to get “attempted a failed login using an invalid username “admin””, even though I have hidden the login page with iThemes security.

@horse0

Go into iThemes security’s setting and locate the option at the very bottom of the settings page for disabling xmlrpc and disable it, This will stop the bot from trying to login otherwise it will continue to keep going.

Its a brute force exploit in wordpress