• Resolved chrissmit

    (@chrissmit)


    Hi,

    I keep getting the occasional, but too frequent email from Wordfence (sent from my site so it seems), that someone with admin rights, using my username has logged in from a location that I’m not (I’m in Europe, this login seems to be from San Francisco).
    I’ve already changed my password.

    But…
    This email from Wordfence always ends up in my Gmail Spam box. Even though I’ve marked it several times as non-spam.

    Could this be spam or is it a real threat?

    thx

    https://www.ads-software.com/plugins/wordfence/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Hello chrissmit,
    it doesn’t seem like spam. Are you sure that the login was successful or was it just an attempted login? Are you using any remote service to access your WordPress installation? Have you given any external applications access to your WordPress installation?

    Thread Starter chrissmit

    (@chrissmit)

    It does say on my WP admin side that I’m the only one logged in.

    I’m using a free CDN from cloudflare that could possibly explain the location difference.
    Could this be true?

    thx
    Chris

    Hello Chris,
    yeah it could be. Have you tried doing IP-lookup on the IP that is supposed to have logged in? You can start by putting it in Wordfences “WHOIS Lookup” and see if anything in the results ring a bell.

    Look at the headers of the email. Most likely it is appearing in your spam box because google thinks it’s not legitamate. Verify the headers to determine if it is real or not. If so, you have a big problem of someone gaining access to your site. If it’s fake, then no problem.

    Gmail, Open email, More (next to reply button), Show original.

    If you don’t now how to read it, compare it with a known legitamate email from wordfence or from your wordpress. You should be able to figure out what is going on. Every server adds on a header at the TOP. The first server is the last “Received” line, just above the FROM and TO. So you should see that your server generated it, and submitted it to the next server in the chain until it got to google.

    For instance here are parts of an email from paypal to me @ gmail.

    Delivered-To: *myemail*
    Received: by 10.79.134.68 with SMTP id i65csp854885ivd;
            Sun, 26 Jun 2016 18:52:18 -0700 (PDT)
    Received: from mx0.slc.paypal.com (mx0.slc.paypal.com. [173.0.84.225])
            by mx.google.com with ESMTPS id w64si23116634pfb.137.2016.06.26.18.52.18
            for <*myemail*>
            (version=TLS1 cipher=AES128-SHA bits=128/128);
            Sun, 26 Jun 2016 18:52:18 -0700 (PDT)
    Received: (qmail 4702 invoked by uid 993); 27 Jun 2016 01:52:17 -0000

    This means paypal is running qmail. Their system generated the email and submitted it via qmail. Paypal’s MX server (173.0.84.225) connected to gmail’s mx server (mx.google.com) and submitted the email. That server sent it to an internal server at 10.79.134.68 which dropped it into my mailbox.

    If it is legitmate, the email should be generated by your server, sent via your configured smtp server (before gmail), and should look the same as any other known legitamate email from your server.

    Cory

    Thread Starter chrissmit

    (@chrissmit)

    Yes, I’ll check out the “original” email and the IP address as well.

    Thanks for the help so far.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WordFence alert email about Admin login’ is closed to new replies.