Many successful logins at accounts from non -legit countries and IPs

Hi @zsimaiofgr, thanks for providing those details.

The first thing that springs to mind with a single IP logging into multiple user accounts is IP detection itself. If this is wrong, legitimately triggered blocks for somebody else may block all visitors including yourself. Take note of your own IP on your main device: https://www.whatsmyip.org.

Head over to Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs and reference the area under that section that says Detected IPs and Your IP with this setting. See if any of the options there when picked accurately reflect your IP. If one does, don’t forget to hit the SAVE CHANGES button in the top-right after you’re done. Let me know if the option you already had selected was correct.

I won’t rule it out at this stage, but I think if we were dealing with easily-guessed passwords for these users (such as from a dictionary attack) I’d expect more failed logins first that’d see the IP fall foul of your Brute Force or Rate Limiting settings before it can try again.

Is XML-RPC entirely disabled on the server or just restricted in Wordfence > Login Security?

Thanks,
Peter.

Hi @wfpeter,

many thanks for the feedback.

Well here is the “How does Wordfence get IPs” part of my options.

It correctly reflects my IP. :

Regarding XML – RPC i have disabled it via .htaccess. Not via Wordfence.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>

I must also mention that i have strict settings for Brute force login attempts (lockout after 2 invalid tries for a period of one month)and also strict crawling rate limits in Wordfence.

The also weird thing is that for example for the Netherlands Datacenter IP i couldn’t find any record in the Apache access log ??
Any ideas?

Thanks for that extra information @zsimaiofgr.

It does seem strange with IP detection correct and the staggered times on the logins. Do you have the following enabled in Wordfence > All Options?:

• General Options > Check the strength of passwords
• Brute Force Protection > Additional Options > Enforce strong passwords > Force All Members to use Strong Passwords

If you didn’t have either of those, running another site scan may flag some or all of the above accounts.

Again though, the activity from that IP seems unusual but it’d be quite fortunate to successfully sign in five times with less than 2 attempts without triggering the 1 month lockout. I also appreciate that users haven’t been signing in for some time though.

I would consider triggering a password change for those users’ profiles or disabling them entirely to see if any further logins (or attempts) are made on others.

Thanks,
Peter.

Dear @wfpeter,

Brute Force Protection > Additional Options > Enforce strong passwords > Force All Members to use Strong Passwords is enabled but Check the strength of passwords was not enabled. Perhaps their passwords were not indeed strong because there is the possibility that these users were registered before i installed Wordfence some 1 1/2 year ago.

I have disabled these users and also blacklisted this IP.

BUT as i’ve mentioned in my first email this is something that’s been happening for quite some time now with various usernames and various IP sources. Every time i disable or totally delete the users but the phenomenon keeps coming back every once in a while. That is why i also did this time.

That’s why i am afraid there might be something on my website that bypasses login authentication.

Is it possible to somehow “catch” it through access logs or Wordfence?