Does WF only monitor the wp-admin login?

Hi howiehwbd,
May I know how exactly you limited access to wp-admin page? what about accessing wp-login.php directly?

There are two options here that should be helpful in this case, both under (Wordfence > Options => Login Security Options), “Immediately lock out invalid usernames” and “Immediately block the IP of users who try to sign in as these usernames“. (in case you have a list of these usernames).

Note that if you activated “Immediately lock out invalid usernames” option, there is a risk of getting some normal users locked out by mistake because of a username typo while they are trying to log in your website.

Thanks.

Hi wfalaa

Thanks for getting back to me.

I have used htaccess to restrict access to wp-admin, wp-login, etc… to just my IP.

I’m therefore assuming that on one but me can therefore access to the WordPress login page.

But I’m still getting WF notifications that ‘adm’ was tried as a username. I have already ‘banned’ the use of ‘adm’ in WF.

Once I had restricted access to the WP login page – I was therefore curious as to why hackers are still able to attempt a login?

———————-

This then has caused me to think?
– When WF send me a notification that a hack was perpetrated – can WF tell me which page was being ‘affected’. i.e. was it /wp-login.php?….
OR was it another login access point (I have one from a guestbook plugin) … there is a username/password form … and this is on /guestlogin/ (url for illustration only).

Can I determine which of the two is having the attempted hack?

regards
H

Answering to your question about the source of this login attempt, I’m thinking of two possible ways to know that:
– Wordfence “Live Traffic”, you can filter the traffic by “Login and Logouts” and watch for entries there.
– Your server access log, I think it should have much more information about these attempts.

Aside from (wp-admin, wp-login.php) some attacks target xmlrpc.php file, which you can block if you aren’t using any WordPress application that makes use of this file. (Desktop apps for WordPress publishing like “Windows Live Writer” must use this file).

Also, I should mention that blocking /wp-admin/ may cause problems with some plugins/themes, make sure you are whitelisting your host’s IP address to this file specifically: /wp-admin/admin-ajax.php

Thanks.

Hi wfalaa

Many thanks for your reply. I will investigate the xmlrpc.php file.

and look into whitelisting

regards
H

hi wfalaa

I have looked at Live Traffic and filtered for:

Filter Traffic : Blocked
using advanced filters
Security Event : contains ‘Blocked’
From 1st Oct to 15th October

It shows none of the 700+ hack attempts that occurred a few days ago.

———–

If I the try a new filter
Logins : contains ‘Failed Login: Invalid Username
(same date range)

It also shows NO results
– yet my email inbox shows 700+ attempts.

————

What I’m trying to do is find the matching block/event that my email notification is showing within Wordfence.
i.e. someone at 11.32 on Oct15 was blocked from access the site when they used ‘adm’
– I can’t find this event logged in Wordfence.

—————-
I’m also trying to ascertain when I get a notification – just what actual page is this notification referring to?

—— extract from email sent by wordfence ——-
This email was sent from your website “XXXXXX” by the Wordfence plugin at Saturday 15th of October 2016 at 01:15:35 PM
The Wordfence administrative URL for this site is: https://www.xxxxxx.com/wp-admin/admin.php?page=Wordfence

A user with IP address 178.19.228.31 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘adm to try to sign in.
User IP: 178.19.228.31
User hostname: nat-178-19-228-31.net.encoline.de
User location: Erfurt, Germany
—————————-

I have tested access to /wp-admin and /wp-login.php
– neither are accessible … so how come I’m still getting notifications of attempts still going on?

regards
Howard

Hi Howard,
Two possible reasons for not seeing these entries in the (Live Traffic > Locked Out):
– I can see you mentioned +700 attempts, besides your regular website traffic, most probably this exceeds “Amount of Live Traffic data to store” value under (Wordfence > Live Traffic View).

– As I mentioned earlier, maybe these login attempts aren’t initialized directly on /wp-admin/ and wp-login.php, for example using XML-RPC, check this article for more details about this kind of attacks.

Thanks.

hi wfalaa

Thanks for getting back to me.

My Live Traffic data limit is 2000.

Could the fact that there are no matching records within Wordfence or Live View for any of the notifications I have received (even if I filter for date and error/block/event type) – are because the attempts and not using an actual page? – but the attempt (and execution) is all done within the URL address bar?

So even if I IP restrict the wp-admin area using htaccess – so that no one can actually ‘land on’ a page … those pages are still ‘actioned’ and Wordfence then fires off a notification. Would that be possible?

regards
H