-
Posts
-
Hi all,
I seem to see quite a few login attempts looking at my Wordfence logs. They look like actual authentic usernames but not registered on my site. Is it possible these come from users registered on other sites that are trying to login using the same username and password. Maybe they got to my site via the Global Search and think they should be able to use the same username and password. Just thought it interesting and thinking out loud.
Thanks
TimHi Tim,
difficult to say. I have IP addresses that try to log in, in regular interwalls with different ‘normal’ user names, these IP addresses I definitively block.Tim,
Wordfence gives you also the IP address for each attempted login. If multiple login attempts are coming from similar IP addresses, you know these are bad guys. Instead of blocking each IP address specifically, you can block entire ranges of IP addresses – small or large ranges.
@lespalenik wrote:
Tim,
Wordfence gives you also the IP address for each attempted login. If multiple login attempts are coming from similar IP addresses, you know these are bad guys. Instead of blocking each IP address specifically, you can block entire ranges of IP addresses – small or large ranges.
yea, I have been watching that and have blocked some that are trying different usernames from the same IP or trying repeatedly “admin”.
I get a number of new registraions every day, but I just ignore them and they can’t leave any spam messages
as far as having logins/passwords across al sites that would require a central database of users and sharing of password info, might cause problems with both owners and users
If you block them on the “login” tab then that is only temporary and will unblock after a certain period. You can permantly block them elsewhere within wordfence – I must have a lot of China permanently blocked by now I think. The only ones I really worry about are the ones that try with real username
http://kerioakimaging.com - trying to reopen
http://nail-art-at.kerioak.com - Art and Nail ArtI’m also getting a lot of what looks like real users trying to log in. I don’t want to ban them because I figure some people might have forgotten on which sites they have registered, and which ones they haven’t.
I have also added an instant ban for anyone trying “Admin/admin”. In addition I’ve set a limit to four incorrect tries and then the IP bans for a day. That is usually enough to discourage stupid wannabe hackers with nothing better to do. They just move onto another WordPress site.
I also get lots of people trying their luck with my own username. On my dot com I’ve just set instant bans for a day as I am the only one who logs into that WordPress installation.
People setting permanent bans are running the risk of losing customers in the long run. Most people are assigned a new IP every time they log on. If they get your banned IP they won’t be able to load your site. Be careful and make sure you really want permanent bans. Rather set the ban for a day or two and then fall away.
Jo
I was about to initiate post and saw this thread , i was away from Internet , may be 1-2 week , system failure and we were travelling , bought new system and back to game now , in last two three days i checked all mail from word fence and found out lots of activity of Admin login attempt grrrr , most of attempts from China and some from Hungary , Wordfence blocked all of them , i will take input from JoRodrigues and i will also set retry limit to some small number.
I get even more on my JoRodrigues.com. It’s like 3 or 4 per day on some days. The one nitwit just kept trying after the ban ran out, or logged off and back on with a different IP. Finally I just banned the whole IP range from there. I must remember to go unban it in a week or so hehe.
I think this is a new WordPress issue. Most twits stop trying when they get an auto ban for 24 hours. My system mentioned above is working well for me so far. They ALL try ‘admin’ or ‘Admin’ first and that is an auto IP ban for 24 hours. Make sure you add in both lowercase and uppercase versions.
Jo
Wordfence notified me today that someone tried 20 times to get into my secondary site. They tried the first 12 times using my email address, but instead of **gmail.com it was **gmail-com, then they tried 8 more times using my login name (don’t know how they found that one, unless they were just really lucky).
Whois lookup comes up in Vietnam.
Like some others having occasional failed attempts isn’t anything new, but trying both with my email address and my login acct name (different than email) appears more like a targeted attack.
Strange times.
The forum ‘Archives’ is closed to new topics and replies.