beltanconsultancy

No i do not have any cache plugins on my site.
I did not clear the browser cache but i get different results from using either the rename login option or the cookies option.

As a test I went back in and switched back to Cookies Based Brute Force Login. Logged out, closed browsers etc. Opened the site up again and went to wp-admin and it redirected me to the login page which was a weird URL or https://www.mysite.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&reauth=1

If i go to wp-login.php it shows me the exact URL of https://www.mysite.com/wp-login.php and I have the normal login box with the captcha question included. This is all with the Cookies Based Brute Force Login enabled.

I changed back to the renamed login page option instead of cookies based. I have just logged out of my WP site, closed all browser windows, reloaded website. I now get a 404 error on both wp-admin and wp-login.php pages. I used the renamed login page URL and managed to log back in.

Is wp-login.php needed?

I can see at the bottom of my posts that there is a “You must be logged in to post a comment”. If you click the link it takes me to my renamed login page URL so how does that make it secured if anyone can click the link and see my custom renamed login page url? Or is that how it’s supposed to work.

Well I can go to the wp-login.php page URL and I have the brute force option on as recommended.

It seems as though by enabling the WP Settings > Brute Force > Login Form Captcha Settings option that it only enables a captcha on the wp-admin page and not the wp-login.php page.

These are the files listed in the Filesystem Security and I cannot see which one would protect wp-login.php. All these are green and say No Action Required.

Root directory
wp-includes/
.htaccess
wp-admin/index.php
wp-admin/js/
wp-content/themes/
wp-contact/plugins/
wp-admin/
wp-content/
wp-config.php

Yes I am running WordPress 4.2.2 and the plugin version is v3.9.6

I haven’t had any further notifications since renaming the wp-login.php page. So I am assuming that was the page they were trying to login using. How do I protect that page from brute force attack?

I have a custom URL for my WP console login which I did through the plugin but the wp-login.php page on my site is still the default URL and it has no captcha on it etc so I’m assuming this is the page that these login attempts are being made from.

The plugin allows me to create a custom URL for wp-admin but not for wp-login.php

I have just gone into FTP and renamed the wp-login.php page and I will see if the notifications cease.

Yes it is all setup and says no action required.

I’ve just found that the wp-login.php page is visible. I am assuming this is the page they are using for this attack.
How do I block that page? OR are they using the login as part of the comments feature to do this?

I have tried the cookie based option and turned it on. Still getting the notifications. I’m getting one every 3-5 minutes.
I had not run the scanner before so it’s done a scan to use for comparison.

No i do not have this option enabled.
I renamed my login page AGAIN and the notifications stopped for about 6 minutes and then started again.

How are they finding my custom login page URL?

Just an update..

I’ve received an email from Google this morning advising that my site has been scanned and does NOT contain malicious content and my ads have been reinstated.

So very frustrating but at least I know that my site is actually ok and thankful that I didn’t just delete and start over.

Thank you to Tara and Andrew for your assistance.

I hope that made sense in the right way. ??

I have an IT background and when I encounter a virus infection on a computer, an antivirus program will scan, identify the infection and advise if it can be removed or I can take the steps to identify the type of infection and how it can be removed (if at all), how the infection occurred and then i can begin to rebuild the machine and patch the hole that allowed the virus in originally and restore the data.

So far no product has confirmed that my site contains malicious content and that is what i’m after, something that will confirm that before I proceed with the long winded task of recovering my site (which will be the first time I’ve had to do this as I’m only just coming up to 1 year using WordPress so it’s all a bit daunting).

Yes I agree Andrew, but I’m after something that can confirm that yes I have malicious code and so far nothing has confirmed it. Ive done a dozen or so scans today using web based scans and even downloaded several plugins and run scans and nothing has come up confirming that yes I have malicious code. I’ve been working on this for the best part of 11 hours and nothing.

Surely Google have scanned my site somehow and it has said I have malicious content somewhere so why can I not find a product that will confirm the same and give me a little more detail about what i’m dealing with before I embark on a full recover of my site.

Is the code in my posts, is it part of a plugin, is it part of a page, was my password hacked, i have no idea at this stage so even after doing a restore I wouldn’t know where I need to “plug the hole” so to speak and what content would be ok to restore as it is..

I’ve checked Google Webmaster Tools, it’s showing my site is fine and does not contain suspicious content. I’ve used the Google Safe Browsing Diagnostic Page and again it came back all fine. I used the Securi scanner at https://sitecheck.sucuri.net/ and it came back with an issue of no Website Firewall found. I installed one and it still gave me the same result (obviously because it wasn’t the Securi branded firewall). It also said my website was outdated stating “Outdated Web Server Apache Found”. I spoke with my hosting provider and they said the server is fine and they’ve had no issues with hacking or malicious code on the server. The Malware portion of the scan came back with no issues.