• beeeerock

    (@beeeerock)


    I have modified my settings to eliminate the admin account. Of course the spammers out there don’t know that and keep trying to find their way in via ‘admin’ login. Is there some way to automatically have the IP of an admin login attempt added to the ban list? I’ve got 1200 attempts in my logs in the last few days… so many I have to wonder if the login limit and lockout settings are working!

    https://www.ads-software.com/extend/plugins/better-wp-security/

Viewing 9 replies - 16 through 24 (of 24 total)
  • Handoko

    (@handoko-zhang)

    I’m not very sure but I don’t think it is a good idea.

    By not letting them to login, it’s means we keep them outside. But if you give them a lowest account named admin for the login purpose, it means they are allowed to go inside even it does have lots of limitations on that account. After logged in, they might able to study the website if there is any weaknesses, misconfigured permissions, etc. So it could be very dangerous, so I will say, it will be better to keep them outside.

    Is there any down side to having an account for “admin” which has no powers?
    Any misconfigured permissions or security bugs (if it exists in WordPress) can be a surprising bonus for hackers but a nightmare for the site owner.

    Ah, I’m not advising using an insecure password on the account. If anything, you want to use a ridiculously secure password for the “admin” account. But the way that Better WP Security works, it will only lock out users WITH an associated account. therefore in order to lock out the hackers trying to access the “admin” user – you have to have an “admin” account for them to be locked out of.

    I actually went ahead and created this subscriber “admin” account on my install and within 2 minutes the “admin” user was locked out for 24 hours. No more login attempts will be permitted for the admin user today. Call me crazy, but I think this works.

    Just make sure to use a very long and secure password with numbers letter symbols etc. for the “admin” user. That way they will (hopefully) never guess it.

    Handoko

    (@handoko-zhang)

    Unfortunately if the brute force hackers truly do have 90,000 machines to do their bidding, banning even a few thousand of them does nothing. I too wish there was a way to block people trying to access accounts which do not exist.

    We do not need to manually ban them. The plugin can be configured for automatically banning the bad logins.

    Actually, I ever had same thought with your idea some months ago. But why bother, now the plugin is and will automatically block and ban bad login visitors for me.

    Perhaps, what you’re doing is really have some good points. Please report back the results regularly, I’m curious to know.

    I’m having exactly the same problem.

    It would be nice to know if this is working out for you (creating an admin user low on permissions with a secure password)

    Mine has blocked over 3500 attempts in the last half hour on the admin username. I would love to autoban the second they try this username.

    Thread Starter beeeerock

    (@beeeerock)

    I use WordFence in parallel with Better WP Security. It can be configured to lock out admin attempts.

    Handoko

    (@handoko-zhang)

    Better WP Security can be set to make it autoban login attempts (without using an admin account):
    1. Goto menu > Security > Login Limits > turn on Enable Login Limits
    2. Set both Max Login Attempts Per Host and Max Login Attempts Per User low
    3. Set both Login Time Period (minutes) and Lockout Time Period (minutes) high
    4. Turn on Blacklist Repeat Offender
    5. Set Blacklist Threshold low

    A good example:
    – Enable Login Limits: on
    – Max Login Attempts Per Host: 3
    – Max Login Attempts Per User: 5
    – Login Time Period (minutes): 20
    – Lockout Time Period (minutes): 60
    – Blacklist Repeat Offender: on
    – Blacklist Threshold: 3

    A tight configuration example:
    – Enable Login Limits: on
    – Max Login Attempts Per Host: 2
    – Max Login Attempts Per User: 3
    – Login Time Period (minutes): 30
    – Lockout Time Period (minutes): 180
    – Blacklist Repeat Offender: on
    – Blacklist Threshold: 1

    I have the same issue with Better WP security.
    I don’t have the admin account but I get 10’s of attempts to login every day.

    It would be a good idea to add a “ban specific users” even if they don’t exsist .

    I would start with admin, administrator and the name of the site.

    So aft a little searching I found that Wordfence actually does ban any user who tries to access a user that doesn’t exist. I had added in fake Admin and Administrator accounts, which do work, but this is am more elegant solution. Plus it never needs updating as bots try new usernames.

    https://www.ads-software.com/plugins/wordfence/

Viewing 9 replies - 16 through 24 (of 24 total)
  • The topic ‘How to ban admin logins?’ is closed to new replies.