• Resolved ovidiuav

    (@ovidiuav)


    Hi! For the past three months I’ve been getting a lot of failed login attempt emails to the point where I turned off email notifications because they’re driving me crazy. They’re all for users that don’t even exists, except one time about two months ago attempts were made on my actual account, but only for about a couple of days and maybe a dozen attempts. The username changes from time to time from things like “test” to “admin” and stuff.

    The thing is Sucuri doesn’t show me the password tried each time an attempt is made, even though I set it to show me. The “User wrong password” is blank. Also, about a month ago, I added HTTP authentication to my login page, so before anyone can attempt to login to WP, they have to pass through the HTTP authentication. This hasn’t changed anything and I continued to receive emails about failed logins. There could be only 1 one day, 2 the next, then 10, then maybe down to 1 or none. And so on.

    This has been going on for 3 months and it’s getting frustrating. Anyone have any idea if these are actual brute force attacks, or what? What can I do?

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 6 replies - 1 through 6 (of 6 total)
  • I suppose that when we cannot see the pw is because the hackers (?) may use some particular brute-force scripts. But is just may plain opinion.

    Thread Starter ovidiuav

    (@ovidiuav)

    Anyone? I don’t get why adding HTTP authentication didn’t work.

    Ma indoiesc ca vei primi un raspuns uficial prea curand. ??

    Ma indoiesc ca vei primi un raspuns uficial prea curand. ??

    The login page is not the only place in WordPress that allows to attempt the authentication of an user account, malicious users also use the XMLRPC interface for that which is more reliable (in some way) than sending requests to the login page.

    You are seeing attempts for non-existing users and empty passwords because the requests are sent by an automated tool that is used only to test if an username exists in a site, nothing more; these attacks are generally multiplied by many websites at the same time, like a fisher trying to get any type of fish with his net, it is very uncommon to see targeted attacks so do not panic if you see hundreds and even thousands of failed login attempts in your logs.

    These attacks are so common that I would be surprised to find a website owner without requests like these in the logs of his website. Sucuri Researchers published an article [1] explaining these attacks some days ago, I encourage you to read it if you want to know more about the matter. If you want to stop these attacks from the root then add a firewall to your stack, here are some options [2] and Sucuri also offers one [3].

    [1] https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
    [2] https://www.google.com/search?q=web+application+firewall
    [3] https://sucuri.net/website-firewall/

    Thread Starter ovidiuav

    (@ovidiuav)

    Thank you for explaining! I read the Sucuri article since I last posted and figured it probably had something to do with XML-RPC. I’ll look into getting a WAF, thanks again!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hundreds of failed login attempts’ is closed to new replies.