How to find "passed"

I had a similar occurrence yesterday morning about 2:00 my time, from a Russian IP (supposedly). My site spammer history showed the following line:

2014/03/04 02:28:28 — 94.185.85.44 ‘my user name’ /wp-login.php passed

No other activity was recorded (i.e. the IP wasn’t whitelisted), or noted on site, I’ve changed my password of course, but I’m now concerned they may have gotten in with my password and left behind malicious code.

My question – can one presume from that Spammer History log item that someone has successfully logged in or is it possible to spoof the plugin somehow??

Thanks and sorry to hear you’re ‘retiring’! Thanks for an excellent plugin!

You know what, I think potentially I was misreading the data, I’ve just now received the following three log-in attempts:

2014/03/05 09:13:01 — 5.157.55.184 felishav79 /wp-login.php passed
2014/03/05 09:19:48 — 5.157.55.2 candelariaven /wp-login.php passed
2014/03/05 09:34:31 — 5.157.36.171 jadabeeby /wp-login.php passed

None of those users exist on my site and what I thought was a log in with my user name upon closer inspection has a dash in the name where my user name has none. Obviously they’re just random attempts.

Apologies for wasting your time.

If the user passes it does not mean that they were able to log in. It just means that they passed the spam test.

Without a password they cannot log in, even it they do not appear to be spammers.

If a user logs in, it used to be possible for them to change their display name to include some javascript to hide the user, but I think that the data is now “sanitized” by WordPress so this can’t happen anymore.

I have a plugin called “Threat Scan Plugin” that will at least tell you if there is any javascript in the table. This plugin is not user friendly (more like user antagonistic). This would require that you go into the table to edit the fields if you found anything.

Keith

‘Antagonistic Plugin’ is a scary thought.

The plugin Wordfence is installed on all of my sites and has worked well. There are several options for setting the level of protection you want.

Basically my approach is always create a new administrator user name (which does not match the displayed name), then delete the old ‘Admin’ account. Wordfence allows you to set how many times a user can attempt to log in using a non-valid user name (on sites where I’m sole admin this is set to 1). The result is that their IP is blocked for a period of time that you can set.

Nearly 98% of the time the jerks use ‘admin’, which means they are immediately blocked. What I’ve noticed is that the first failed attempt is followed by a series of attempted logins from a variety of IP addresses–all of which are blocked.

Wordfence recently added a caching program. Actually there are two different versions of caching; one fast and the other really fast.

BTW I’m only a user of Wordfence and have no association with them.

I looked a Wordfence and it has some excellent features and programming. It does a lot of stuff that I decided not to do because I wanted to keep Stop Spammers from using too many resources. I could not run Wordfence on some of my sites without getting a 500 error because the plugin used up all the memory, or took too long to process.

If the programmers would start breaking it up into smaller chinks and only loading what they need when they need it, the plugin would be a big hit.

Keith