Hide backend seems to work, but I still get messages about failed login attempts

  • Resolved bhagerty

    (@bhagerty)


    7 years, 11 months ago

    Some bots are trying to login to my site regularly. They fail, and I get emails from iThemes about IP addresses being blocked for too many failed logins. So far so good.

    But I’m confused, because I’m using hide backend. I’m now on my third new URL for the hidden backend, and it’s a random 14-character string of letters and numbers. It’s hard for me to believe that someone could be hitting that URL.

    In short, I’ve hidden the backend behind a strong random URL, but it seems like it’s not hidden, because IPs are getting blacklisted for failed login attempts. Is there anything else I can do? Is there some way to check how these login attempts are happening?

    The site URL is: https://www.macphailsa.org

Viewing 5 replies - 1 through 5 (of 5 total)

  • bhagerty, I too have been hit lately (must be the season) with numerous brute force attacks on my sites, one in particular. I’ve used iThemes and Sucuri, with no luck. I’ve tried to block ALL access to wp-admin with an .htaccess file, with a “deny all” to no avail. This is weird! How is this happening?!

    Thread Starter bhagerty

    (@bhagerty)

    I looked at my logs, and a user attempted to login as user admin (and got banned), per iThemes, and this is the corresponding log entry:

    75.119.200.115 – – [22/Dec/2016:21:03:51 -0800] “POST /wp-cron.php?doing_wp_cron=1482469431.2099940776824951171875 HTTP/1.1” 200 401 “https://www.macphailsa.org/wp-cron.php?doing_wp_cron=1482469431.2099940776824951171875” “WordPress/4.7; https://www.macphailsa.org”

    Another bot/hackergot banned for too many bad login attempts, and these are the log entries:

    37.99.115.144 – – [22/Dec/2016:20:04:03 -0800] “POST /xmlrpc.php HTTP/1.1” 200 604 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1”
    37.99.115.144 – – [22/Dec/2016:20:04:07 -0800] “POST /xmlrpc.php HTTP/1.1” 200 604 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1”
    37.99.115.144 – – [22/Dec/2016:20:04:09 -0800] “POST /xmlrpc.php HTTP/1.1” 403 2229 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1”

    I’m pretty sure I disabled the xmlrpc stuff. Also, why would these POST entries result in login attempts? They shouldn’t give up the login page, which is supposed to be hidden. I don’t get it.

    In fact, the same thing happens to me and I do not understand it.

    Thread Starter bhagerty

    (@bhagerty)

    This does seem to be XML-RPC stuff, and I think that I had NOT blocked the XML-RPC service. When I went back into iThemes to make sure I totally disabled XML-RPC services, these attacks went away. From some research I did elsewhere, it looks like XML-RPC allows people to try to login to your site even if you have hidden your backend. So hiding the backend is not enough to prevent brute-force login attempts; you have to disable XML-RPC entirely.

    Hi,
    Thanks for the bhagerty info.
    That’s right, I’ve since disabled XML-RPC (before typing here) and it seems to work.
    Best regards.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hide backend seems to work, but I still get messages about failed login attempts’ is closed to new replies.

Tags