What local users mean when blocked for attempt to access wp-login.php

Hi!

IP address has been blocked by Cerber because it (user) tried to get access to wp-login.php. What’s wrong?
Cerber blocks any IP that tries to get access to any of these scripts: wp-login.php, wp-signup.php, wp-register.php (if registration is disabled). It’s trap for bots and hackers which are probing a website.

• This reply was modified 8 years, 2 months ago by gioni.

Hi,

I don’t understand how Cerber knows it was a user of my website, it shows the name, the name has its ID, it’s a real user of my website. I received about 70 notifications for a few minutes about such tries, all from real (and different) users. But if some IP is JUST trying to access wp-login.php (and being blocked for this) how can Cerber know that that IP is a user of my website? How it can know that user ID? He/she did not try to enter any Username, the time spans speak eloquently that these are bots. I don’t say something’s wrong with Cerber, I just need to understand what this situation means. Thank you!

Best,
-Nadia

• This reply was modified 8 years, 2 months ago by webbistro.
• This reply was modified 8 years, 2 months ago by webbistro.

Cerber ask WordPress: does this particular request come from an authorized user? WordPress checks user cookies and reply either yes sir, this request comes from logged in user or no, they are not authorized on the website. You might think that blocking known user is not good idea. But we don’t know for sure what intentions that user has. He might looks like an ordinary user, but in fact they are hacker or bot (unlikely).

Thank you for explanation. I am just afraid that my users data could be compromised. These all are 2 years old premium users. I don’t believe someone paid for my product 2 years ago to attack my site today. That is why I need to understand how it works.

Blocking IPs trying to access wp-login.php is just perfect idea as for me. I am totally happy with it regardless of who is trying to login this way. Real customers do not need and even do not know about wp-login.php. I seem to become a huge fan of your plugin in particular because of this feature ??

So, when someone tries to access wp-login.php Cerber asks WordPress for cookies, and cookies look like this IP was previously logged in to my site with a particular ID? I need to understand can they simply imitate that kind of cookies with some random IDs? Few days ago wp-logins.php were empty requests, then they became ID-tied (but changes also coincided with the plugin update, so I don’t know what to think). The ID range is about 1-250, I have more than 3000 IDs at the moment. I guess maybe hackers just try what they think might works for any site? Is this possible scenario?

p.s. My debug.log contains some warnings related to your plugin. Shall I post them here or send somewhere privately?

Best,
-Nadia

If you see any user name in the Local User column that means that a remote computer has valid authentication cookies and they belong to existing user. An imitation of authentication cookies is practically impossible. The easiest ways to get illegal access to WordPress dashboard is to steal authentication cookies. They can be stolen directly from victim’s computer or via sniffing network traffic. For instance in a public WiFi network. Try to google “Session hijacking”. That’s why using HTTPS for critical applications is a must.

Please explain, what does ID-tied request mean?

You can submit information about warnings via support form: https://wpcerber.com/support/

Thank you! I’ll do more research, I’d like to get what it was.

Sorry, English is not my native language, sometimes I invent something incomprehensible in it ?? I meant that few days ago both columns “local user” and “username” were empty for IPs blocked for trying to access wp-login.php, so I was calm and thought “it’s just bots”. From some point “local user” column contains local user names, and “username” column is still empty. So each try to access wp-login.php is now related to some user ID / name (I called them ID-tied). No normal logins from these users, just blocked IPs, sometimes a few different IPs for the same user. This disturbs me.

I sent PHP warnings via wpcerber.com/support/

Best,
-Nadia

I can also see this behaviour but something is very strange:
There was an IP blocked with local user at December 11. But this user was only created at December 13!

Please click on a strange user name in the Local User column to see all the activity that Cerber logged. That should help to find out the answer.

Don’t forget that:

1. This column contains the Display Name of a particular user. Sometimes users can have the same Display Name.
2. Cerber retrieve those names when open Activity tab. So, if you change Display Name for a user, it will also be changed on Activity tab.

Confirm issue. Fixed in the latest stable version: https://wpcerber.com/downloads/wp-cerber.zip