Constant User authentication failed from server IP

  • Resolved rafaelzrt

    (@rafaelzrt)


    3 years, 5 months ago

    Hello.

    Recently I’ve got a website that got infected by spam, it had hundreds of posts and comments that where done by a long time. I cleaned the website, changed all passwords (users and wordpress) and checked issues with Sucuri Security plugin. It warned me about a malicious javascript code in my website that I’ve got rid of it.

    In Audit logs panel I was able to see that it had a lot of login attempts that weren’t done by users. It ceased to get successful logins when I did the clean up above.

    I also checked with https://www.isitwp.com/wordpress-website-security-scanner/ and it says it is clean.

    My issue now is.. Sucuri says my website now is clean. But I still get constant login attempts (5 per minute) using old usernames (some deleted, some removed from admin) and wrong usernames (“login” and “admin”). In the log it says the IP is the same from my server. So what could be happening? May I still have some malicious code running in my website?

    I appreciate any suggestion, thank you.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • @rafaelzrt

    Are you on a shared hosting plan? If the IP is of your server, it’s a shared IP. The brute force attempts on your login with your IP sounds like another account on your shared hosting server is infected or the entire server could have been compromised.

    You might want to get with your hosting provider and let them know that there is a brute force attack hitting your site with the IP of the server.

    Also, use a reCaptcha plugin and Limit Login plugin to mitigate brute force attacks. If possible, disable xmlrpc as well. You can also use reCaptcha to prevent spam comments.

    Enforce strong passwords on your users. You can use a plugin if necessary.

    Thread Starter rafaelzrt

    (@rafaelzrt)

    Oh I almost forgot about this post. Thank you for the reply.

    I believe I managed to solve the problem, at least partialy. My hosting plan isn’t shared. But my host failed to give me more details about my hosting. At the start they told me there was a proxy on the server and it would hide all IP and that was why I would always see my server IP.

    But I used Sucuri and Wordfence scan to look for more suspicious files. I removed them all. xmlrpc was indeed a file that was receiving connection always as Wordfence Firewall warned me, so I disabled it. After I did this I began to see the real IP of foreign connections, I’m not sure if it is related.

    The several login attempts stopped for a while but they still occur at some days, usually trying to connect the old username that was compromised (I removed it from admin). But now I can see their IP, it is always different IPs from several countries.

    reCaptcha alone wasn’t stopping spam comments. So I disabled them.

    Thank you for the tips!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Constant User authentication failed from server IP’ is closed to new replies.