Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.
I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:
I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.
PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)
if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}
I’d agree, Limit Login Attempts is on my “standard” list of plugins to install.
If possible, I’ll further protect the login and admin areas with HTTP authentication to stop this kind of hammering attack before it even gets to WordPress.
Some dude had a go at one of my sites the other day as well. I killed him with htaccess. This looks cool though, I will look at installing it.
never tot of it! thanks for the info 🙂
Its better to change the default username to something else then admin, that should the trick.
Another vote for adding this to WP core!
Thx for this plugin.
This one should be in basic WP install. It’s really handy.
BTW
What plugin do you use for
*Notify me of followup comments via e-mail?
Thanks 🙂
Check this http://txfx.net/code/wordpress/subscribe-to-comments/. 🙂
So doesn’t this mean that you’re emailing yourself your username and password every time you log in? That seems like a security risk that’s much more likely to be exploited than someone guessing your password at random.
Yup, that’s true but I don’t hit wp-login.php very often so I don’t worry about it.
Yeah, not only that, when any php script is accessed, you get an email. It would be great if this could work for WordPress only.
It’s a dead simple script so it’s really easy with a bit of editing to limit when it sends those emails.
I just block everything from the Ukraine as well as a few other countries. It’s a drastic measure but none of my websites are aimed at those countries anyway.
It’s been unbelievable how much it has reduced all the various crack attempts. Naturally such a measure won’t suit everyone though.
You block entire countries from accessing your website because you have some problems with crackers and spammers?
Nothing on my website is “aimed at those countries” either, but I would never dream of such drastic and completely unnecessary measures. You seriously need to re-evaluate your approach there Robert.
Probably not suitable for everybody. I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.
yes thats still not the best way to deal with it
Actually, the IP filter works like a charm. I’ve been doing that for a year.
Stupid question alert:
How can I do this:
I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.
TIA!
Cortney
Another idea is to edit your wordpress database and change the admin username from “admin” to something else. I have done that for my school district’s web site as well as local school sites. So, even if someone happens to know the password, they’ll toss and turn to figure out the username. Then, limit login will hammer it down! 🙂
Thanks for the tip. I went and installed a similar plugin (Login Lockdown) after reading this. I’ve also done what Patrick suggested, and deleted the “admin” user after setting up another admin account with a different name.
Thanks for the heads up and for sharing this useful information!
Btw, I’ve been using a WP plugin called Login Lockdown that can limit a number of unsuccessful login attempts (brute force attacks), I guess it works just like or has the same concept as the Limit Login Attempts plugin that you’re using.
Thanks for the tip Donncha! Using the plugin now 🙂
Hi
Could you go into some more detail regarding the logging of the failed login attempts. I would be interested in knowing if this is happening to me also.
Thanks
Will
Will – just put that code into a file and make sure it’s included. WordPress has a “myhacks” function you could use. (Google it, I don’t have a url at hand)
Cheers Donncha, I’ll look into it further.
Great tip, this should be a default plugin for any WordPress user
You might also want to check out my Login Error Cleanup plugin. It doesn’t tell a user if they got the username or password wrong when they try to login. http://www.planetmike.com/plugins/lec/
where does this plugin store the failed logins? mysql?
i wrote something a while back that limits logins much like this but using eaccelerator.
Thanks for this tip. I isntall this plugin to my media blog. 🙂
Wow, great plugin. fast instal and simple to use. I could write to my media blog of this plugin. Sorry, poor English. 🙂
Brute force protection should be a standard feature of WordPress if you ask me!
I use Login Lockdown, which accomplishes pretty much the same thing — not sure which plugin is better, since I haven’t tried Limit Login Attempts.
Login Lockdown is in my list of standard plugins to use on every WP install. Very similar functionality to Limit Login Attempts from the looks of things.
We should add something like this to core IMO. It’d improve security across the board.
It should indeed be core, isn’t really a massive feature but sure as hell works. Thanks for the plugin link.
Yup, hardening WP/WPMU installs always include changing admin username to something else, plus adding the “login error cleanup” plugin and the “login lockdown” plugin and the htaccess thingy 🙂
Unfortunately I did not have all of the Ukraine firewalled like I mentioned in my earlier comment.
I’ve just had the same IP address trying to bruteforce my blog 3006 times in the past two hours!
He’s blocked this time around though.
Just to be extra paranoid and annoy the bots, I added a http auth login around wp-login.php on my other VPS. This one uses fastcgi which doesn’t support it unfortunately. (Yes, I could do it in a few .htaccess rules but I don’t have the time to dig into that right now!)
Never knew this was not in the core of WordPress. This is a basic feature of authentication system to block access after 3 wrong attempts.
This SHOULD GO INTO CORE !!!!
Somebody performed similar attacks on my blog too, a week ago.
Sad.
It is incredible: today, my blog Journal de Cuba (in french) had been victim of the same attack and by the same IP !!! This idiot from Namibia did 593 unsuccessful attemps to login. This morning I install the plugin, thank you Donncha for the tips.
wow! that is very dangerous.
Have to install the plugin immediately to all my wp blog.
thanks for the alert.
IP Tried to log in as
213.155.4.184 admin (1 lockout)
Same IP at my site. Good i’ve installed Limit Login Attempts when i’ve saw this post.
Thank you Donncha
Add this line to your theme’s functions.php file to hide login error messages:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
That way they can’t tell if they got the username or password (or both) wrong.
Guess what? The same guy from the same IP is trying to get into my WordPress too. Detected after installing this plugin.
I had the same issue from 213.155.4.184 hitting me 3,500 times. CPanel also shows this, and allows you to block ips or ip ranges.
Login attempts shoud be limited to prevent any kind of intrusions.
Hi Donncha, I have been using this plugin since you recommended it, and worked fine. Recently, I have been hit by some hacker trying to login simultaneously from multiple IP addresses. This plugin is not so effective in this scenario as each day/time the same clown tries from different addresses, un-stoppable!
Do you ( or anyone else) know of a solution to RESTRICT LOGIN to an IP or IP range, written into .htaccess or something?
I also use your WP Super Cache and Domain Mapping, so it needs be compatible with these too.
Ideas?
After further searching, I found a simple solution and would like to share:
http://money.bigbucksblogger.com/blog-security-htaccess-block/
specifically the section titled
“How To protect Your wp-admin File: Very Secure Method.”
It seems to work fine. I can login to my sites from home IP, no worries, and logging in through an online proxy (other IP) results in a 404 not found. Lovely!
What you reckon Donncha, is this method cool?
Yup, that works. Best thing to do of course is use strong passwords!
Nope, it didn’t work. I am still getting hit from various IPs simultaneously. The .htaccess limits entry to directory wp-admin, but they still access wp-login.php. Is /wp-admin still secure from other IP access even though wp-login.php is being hit? or is there a way to limit access to wp-login.php to only my home IP?
Am I safe???
Just make sure you have a strong password and you’ll be fine. You can use similar .htaccess rules to block access to your wp-login.php too.
Thanks Donncha. I did it, and get 404 page when accessing thru proxy – other IP, so it should work!
For those wishing to do the same, here it is:
(replace 111.111.111.111 with your IP)
Restrict access to wp-admin by IP:
Make a .htaccess file in directory /wp-admin, and include:
order deny,allow
allow from 111.111.111.111
deny from all
Restrict access to wp-login.php by IP:
Add this to .htaccess file in root directory /public_html:
Order deny,allow
Deny from All
Allow from 111.111.111.111
I made mistake, and can’t edit comment.
CORRECTION:
Restrict access to wp-login.php by IP:
Add this to .htaccess file in root directory /public_html:
Order deny,allow
Deny from All
Allow from 111.111.111.111
it is changing the code here???
should be:
Order deny,allow
Deny from All
Allow from 111.111.111.111
sorry mate, delete the last few comments, everytime I put the code and submit comment, the code changes. email me and I can send the proper code for you to post. funny thing the comment box changes the code completely!