Massive Hit from – over 50 IP Addresses

I’m getting slammed to. Over 150 email confirmations within 30 minutes telling me of ip addresses trying to access login. But the ip addresses in the emails cannot be found in wordfence login attempts. I set my security to high level. Hopefully this will stop the bums.

Looks like it has stopped. At least I hope so. This is nuts!! With all that talent, they decide to destroy instead of building up. What a shame and waste.

It slowed down for awhile, but it’s back in full force now. I’ve turned notifications down to 1 per hour because they were coming in about every couple seconds. The IPs are so varied, it seems like this might be a case where trojans on people’s computers might be doing the attacks. There is no way we can block so many IP addresses.

Well I know for sure I don’t have any trojans in my computer. Once I block those ip locations and full range, it stopped. Glad I have the pro version or this would’ve took forever blocking bots.

I didn’t mean you had a trojan, I mean lots of other people do and the hacker is able to control their computers to launch this attach. I don’t know that much about it, but I know it can be done. And the variety of IP addresses is what suggests to me that that is what is happening.

So what range of IPs did you block. I see far to big a range to block without locking out some of my own people.

All my emails say: Used an invalid username ” to try to sign in. Is that what yours are saying also?

I’ve cut way down on login attempts by blocking the login page with .htaccess. I added this bit after the Wordfence section of .htaccess

<Files wp-login.php>
order deny,allow
allow from xx.xx.xx.xx
deny from all
</Files>

The xx address is my home IP address. If there are others who need access, I insert additional “allow from” lines with their IP addresses.

Oh no Colleen, I wasn’t implying you saying i had trojans, that was just a voiced thought of mine. ??

Yes, it said the same as yours, however, in the settings it also showed me if they were trying to access the admin page in the login area. They only person who should be accessing the admin side login page is me so I immediately blocked their ip range. Then in about 2 minutes after blocking, the pounding stopped.

Thank you sdayman for sharing the code to place in my .htaccess page. Big help!

@sdayman – Thanks for sharing that .htaccess idea. Going to try that right now. My site been under attack for the past 40 hours and the log of attempted logins and newly blocked IPs is ridiculous.

@colleen & @kwd – From additionally using ThreeWP Activity Monitor I’ve discovered attackers also be trying to log in via IP addresses that WordFence doesn’t block (whitelisted, internal, IPv6), so sdayman’s suggestion looks really good to me.

Getting attacked again! I also installed BruteProtect just as an added security measure. They are trying to use domain names now. I also made sure to check immediately block wrong user names. Placed site on high security. Hopefully they will get tired of trying my site and move on.

I’ve blocked the wp-login.php page via .htaccess and will see how that works. I have a member login page for subscribers that seems to use a different URL for logging in, so I’m hoping my .htaccess block will not affect my subscribers trying to login. If it does, I’m back to square one because I can’t lock out my members. I’ve created a temporary user account. Would one of you go here: https://www.olympiacameraclub.org/member-login/ and try to log in and then let me know your results. Username and password both ‘test’. Thanks

@colleen – I was able to go to your link and log in successfully as test. I got the ‘you are now logged in’ message.

@ Kikilin: thanks. That is good news! The login attempts have also now stopped, so I guess the .htaccess method worked. So happy!! I’m deleting the test account now.

Colleen

My site was under attack for over 48 hours, and has finally stopped. I’m glad I have WordFence to help alert and protect. I tried the htaccess solution sdayman suggested, but it had no effect. I must have done it incorrectly or my hosting service overrides my htaccess file. I also installed BruteProtect, as kwd mentioned it. I saw no immediate change, but 10 hours after install my attacks have stopped. I don’t know why the attacks have ceased but I am very relieved.

Just an FYI about the code @sdayman provided…. if your ISP ever changes IPs for your internet service, you’re going to be stuck and blocked from your own site, and you’ll need to hit up your web host to have them change it for you. Some ISPs change the IPs frequently, and others may change only once or twice a year. Unless you have a dedicated IP address and you’re 100% absolutely certain it isn’t going to change, that type of htaccess file is a bit risky in that regard.

But if we can FTP into our site and change our own .htaccess file, then there should be no problem.