brute force attack with same username but different IPs

  • Resolved zm11011

    (@zm11011)


    8 years, 8 months ago

    Hi Over the last few days I have noticed multiple failed login attempts every few minutes and it is through xmlrpc.php

    and they’re all from different IP addresses, from different locations around the world. so It never get blocked or locked out as they are all from different IPs and locations.

    I can see they are trying same username for few days and then other same username for few days. but they are from different IPs and locations every single time.

    Can advise any solution?

    Thanks

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor wpsolutions

    (@wpsolutions)

    Does the username they are submitting exist on your system?

    We have the Login Lockdown feature which has a checkbox called “Instantly Lockout Invalid Usernames”. You can enable this and any attempts made using usernames which don’t exist on your site will be locked out.

    If you don’t mind disabling the xmlrpc functionality from your site you can enable the pingback protection feature from the firewall rules. But note the caveat is that by doing this you will affect the operation of things which use xmlrpc such as the wordpress app and Jetpack etc.

    Thread Starter zm11011

    (@zm11011)

    Hi.

    I do want to enable that as real user can make mistake username.

    So there no way to block this other than disabling xmlrpc?

    Thank you.

    Lee

    Plugin Contributor wpsolutions

    (@wpsolutions)

    real user can make mistake username

    For real users you can enable “Allow Unlock Requests” and they can unlock themselves.

    So there no way to block this other than disabling xmlrpc?

    You could also blacklist their IP address but as you said if they are always changing it that might not be as effective.

    I will also have a think about another feature that can be introduced which may help for such situations.

    Thread Starter zm11011

    (@zm11011)

    Hi.

    Thanks for the answer.

    I don’t want to set up allow unlock requests as customer can complain about that even with one typing mistake.

    On my websites, most of attacks are using XMLRPC, sometimes it uses same IPs but so many login requests in very short time. some other cases are trying same user name but different location which I mentioned above.

    I think none of security plug-in can block XMLRPC without disabling XMLRPC at the moment.

    Maybe blocking the certain username would help if someone is trying to log-in with same username for many times.

    Anyway thanks for the help.

    Lee

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘brute force attack with same username but different IPs’ is closed to new replies.