Massive spike in malicious login attempts. A bug??

Malicious login attempts is up to 8303
I’ve tried deleting my admin user and transferring to another user
I’ve tried contacting my hosting service provider and Sitelock but they say there haven’t seen any traffic spikes at all.
I’ve changed my passwords and tried tweaking Jetpack settings and other security related settings.
But malicious login attempts are still climbing at a rate of approx. 125 attempts per hour.
Should I be seriously worried about a dangerous hacking attempt
Or is this a Jetpack error??

Also if these attempts are legitimate, there are no ways to view the IP address for these attempts on the jetpack plugin which I think should be added

Here is the link to my site if you need to take a look at it

https://jamiesdaniels.com

• This reply was modified 8 years, 2 months ago by jsdaniels.
• This reply was modified 8 years, 2 months ago by jsdaniels.

I haven’t tracked it over time but I just noticed that on my most visited site Jetpack is reporting to have blocked some 15,000 attempts. So I don’t think you’re being targeted. Either Jetpack changed the way attempts are counted or – in all probability – somebody is just on a brute forcing spree. I tried news-googling ‘wordpress brute force’ and this came up:

https://www.bleepingcomputer.com/news/security/ukrainian-isp-behind-over-1-65mil-daily-brute-force-attacks-on-wordpress-sites/

If geo-blocking wasn’t such a dirty hack – and difficult to apply to something specific, like logins, not views – I would definitely consider it.

As for added features I wouldn’t hold your breath. Jetpack Protect used to be a separate plugin called BruteProtect which IIRC actually had some stats on the blocked attempts. So when you don’t get any info from JP Protect it isn’t because the feature hasn’t been added but because it’s been removed ??

That’s not an error. This spike most likely happened because a bot found your site and started hammering your log in form to try to get in. Jetpack’s Protect module then did its job and blocked these attempts. You have nothing to worry about, as the module is there to protect you. The spike in blocked attempts indicates that the module is working properly.

If you’d like, this could be a good time to review the password you use on that site, and make sure you’ve set a strong password. You want to be sure no bot can guess your password right away, before to be blocked. ??

there are no ways to view the IP address for these attempts on the jetpack plugin which I think should be added

Jetpack doesn’t display that information, as there isn’t much you could do with that list of IPs. That list of 15,000 IPs is already blocked from trying to access your site anyway.

If you also use Sitelock, you’re actually really well protected already as the service will also protect you if it detects abnormal behaviour. If it doesn’t detect anything right now, it’s probably because Jetpack blocks the IPs before they become a problem Sitelock has to deal with.

I hope this clarifies things a bit.

Hi,

I’ve posted on another older thread, sorry for the duplicate… Can you tell me why it is that even though all of these blocked login attempts are noted by Protect, the IPs and the attempts are not being logged by the other security plugins I use (for example Loginizer)?

Thanks for the help,

Cathy

I’m not familiar with Loginizer, but a few things may happen here:

1. Once a bot is blocked from logging into your site, we don’t let it even try to log in, so Loginizer won’t be able to log its attempts to log in. When Jetpack’s Protect module tells you a new malicious attempt was blocked, it means that this bot won’t even be able to try to log in to your site.
2. Jetpack Protect modules monitors attempts to log in via your site’s log in forms, but also monitors other ways to log in to your site, like the XML-RPC file. It allows it to blocks bots other plugins may not know about.

I hope this clarifies things a bit.

Thanks for the explanation!

Cathy

Thanks to everyone who replied!
I checked back for about a week and then stopped so sorry if this response is really late (and maybe irrelevant…)

@brokkr Thanks for the info. Since the sudden spike, I installed a plugin that let’s me view live traffic and indeed, a certain country was behind most of the login attempts. After New Years, the login attempts decreased dramatically, from 125 attempts/hr to approx. 100 attempts/day. Still pretty high, but I’m no longer pulling my hair over it. (country variety has also gone up. About 15 countries regularly attempt logins, two countries the most.)

@jeherve Thanks for the reply. I don’t know how safe SiteLock is if the person operating the system can’t seem to detect any abnormal activities and the program is the only thing that knows what’s going on. I still have no idea how SiteLock works since they could not detect the sudden rise in bot login attempts.

@catonezillion If you get a plugin that shows you live traffic, you’ll see that there are bots that access your login page or try to find valid user names through some type of “/author” variation. I think Jetpack is detecting those attempts because the numbers roughly match up. I don’t know if Jetpack blocks future attempts by the same bot/IP so I use the plugin that shows live traffic to block the IP manually.
It’s not the most fun job, but I log in to my site regularly to manually block IP’s that access my login page to see if they try again. And I found that a lot of bots DO return for a second and third attempt. Keep in mind there are also a lot of crawl bots too so don’t accidentally block those. (They don’t ever access the login page so you can tell them apart).
I hope this information helps.

I still have no idea how SiteLock works since they could not detect the sudden rise in bot login attempts.

It might be worth reaching out to SiteLock about it, they might be able to tell you more. You can contact them through this form.

I don’t know if Jetpack blocks future attempts by the same bot/IP

If the IP is flagged, we block all their attempts to log in.