Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.
I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:
I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.
PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)
if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}
62 Comments
John Girvin (1 comments.) on July 15, 2009 at 10:18 am.
I’d agree, Limit Login Attempts is on my “standard” list of plugins to install.
If possible, I’ll further protect the login and admin areas with HTTP authentication to stop this kind of hammering attack before it even gets to WordPress.
Treasa (5 comments.) on July 15, 2009 at 10:18 am.
Some dude had a go at one of my sites the other day as well. I killed him with htaccess. This looks cool though, I will look at installing it.
Liew Cheon Fong (1 comments.) on July 15, 2009 at 10:25 am.
never tot of it! thanks for the info
Ramoonus (19 comments.) on July 15, 2009 at 10:30 am.
Its better to change the default username to something else then admin, that should the trick.
Tom on July 15, 2009 at 10:44 am.
Another vote for adding this to WP core!
JackuB (2 comments.) on July 15, 2009 at 11:22 am.
Thx for this plugin.
This one should be in basic WP install. It’s really handy.
JackuB (2 comments.) on July 15, 2009 at 11:24 am.
BTW
What plugin do you use for
*Notify me of followup comments via e-mail?
Thanks
hpguru (3 comments.) on July 15, 2009 at 7:11 pm.
Check this http://txfx.net/code/wordpress/subscribe-to-comments/.
filosofo (3 comments.) on July 15, 2009 at 11:50 am.
So doesn’t this mean that you’re emailing yourself your username and password every time you log in? That seems like a security risk that’s much more likely to be exploited than someone guessing your password at random.
Donncha (1707 comments.) on July 15, 2009 at 11:58 am.
Yup, that’s true but I don’t hit wp-login.php very often so I don’t worry about it.
Joshua Parker (2 comments.) on July 15, 2009 at 1:24 pm.
Yeah, not only that, when any php script is accessed, you get an email. It would be great if this could work for WordPress only.
Donncha (1707 comments.) on July 15, 2009 at 1:29 pm.
It’s a dead simple script so it’s really easy with a bit of editing to limit when it sends those emails.
Robert (34 comments.) on July 15, 2009 at 11:55 am.
I just block everything from the Ukraine as well as a few other countries. It’s a drastic measure but none of my websites are aimed at those countries anyway.
It’s been unbelievable how much it has reduced all the various crack attempts. Naturally such a measure won’t suit everyone though.
johnbillion (2 comments.) on July 23, 2009 at 2:09 am.
You block entire countries from accessing your website because you have some problems with crackers and spammers?
Nothing on my website is “aimed at those countries” either, but I would never dream of such drastic and completely unnecessary measures. You seriously need to re-evaluate your approach there Robert.
Stilettogirl (1 comments.) on July 15, 2009 at 1:20 pm.
Probably not suitable for everybody. I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.
Ramoonus (19 comments.) on July 15, 2009 at 2:20 pm.
yes thats still not the best way to deal with it
Jessi on July 16, 2009 at 2:12 am.
Actually, the IP filter works like a charm. I’ve been doing that for a year.
CortneySellers on July 17, 2009 at 5:21 pm.
Stupid question alert:
How can I do this:
I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.
TIA!
Cortney
Patrick (1 comments.) on July 15, 2009 at 2:16 pm.
Another idea is to edit your wordpress database and change the admin username from “admin” to something else. I have done that for my school district’s web site as well as local school sites. So, even if someone happens to know the password, they’ll toss and turn to figure out the username. Then, limit login will hammer it down!
Evan (1 comments.) on July 15, 2009 at 2:41 pm.
Thanks for the tip. I went and installed a similar plugin (Login Lockdown) after reading this. I’ve also done what Patrick suggested, and deleted the “admin” user after setting up another admin account with a different name.
Jaypee (4 comments.) on July 15, 2009 at 3:41 pm.
Thanks for the heads up and for sharing this useful information!
Btw, I’ve been using a WP plugin called Login Lockdown that can limit a number of unsuccessful login attempts (brute force attacks), I guess it works just like or has the same concept as the Limit Login Attempts plugin that you’re using.
Prasannah (1 comments.) on July 15, 2009 at 3:57 pm.
Thanks for the tip Donncha! Using the plugin now
Will (11 comments.) on July 15, 2009 at 4:21 pm.
Hi
Could you go into some more detail regarding the logging of the failed login attempts. I would be interested in knowing if this is happening to me also.
Thanks
Will
Donncha (1707 comments.) on July 15, 2009 at 5:14 pm.
Will – just put that code into a file and make sure it’s included. WordPress has a “myhacks” function you could use. (Google it, I don’t have a url at hand)
Will (11 comments.) on July 15, 2009 at 6:51 pm.
Cheers Donncha, I’ll look into it further.
KeiferB (1 comments.) on July 15, 2009 at 5:06 pm.
Great tip, this should be a default plugin for any WordPress user
Pingback: Limit login, limita el número de logins de tu blog | aNieto2K
Michael Clark (2 comments.) on July 15, 2009 at 5:49 pm.
You might also want to check out my Login Error Cleanup plugin. It doesn’t tell a user if they got the username or password wrong when they try to login. http://www.planetmike.com/plugins/lec/
Dankoozy (34 comments.) on July 15, 2009 at 6:21 pm.
where does this plugin store the failed logins? mysql?
i wrote something a while back that limits logins much like this but using eaccelerator.
hpguru (3 comments.) on July 15, 2009 at 7:05 pm.
Thanks for this tip. I isntall this plugin to my media blog.
hpguru (3 comments.) on July 15, 2009 at 7:12 pm.
Wow, great plugin. fast instal and simple to use. I could write to my media blog of this plugin. Sorry, poor English.
Peter Sweeney (1 comments.) on July 15, 2009 at 7:13 pm.
Brute force protection should be a standard feature of WordPress if you ask me!
Lucas McDonnell (1 comments.) on July 15, 2009 at 7:56 pm.
I use Login Lockdown, which accomplishes pretty much the same thing — not sure which plugin is better, since I haven’t tried Limit Login Attempts.
johnbillion (2 comments.) on July 23, 2009 at 2:14 am.
Login Lockdown is in my list of standard plugins to use on every WP install. Very similar functionality to Limit Login Attempts from the looks of things.
Viper007Bond (28 comments.) on July 15, 2009 at 8:46 pm.
We should add something like this to core IMO. It’d improve security across the board.
Pingback: Changing User Nice Name | Hugh Johnson
Matt Rogowski (1 comments.) on July 15, 2009 at 10:57 pm.
It should indeed be core, isn’t really a massive feature but sure as hell works. Thanks for the plugin link.
mercime on July 15, 2009 at 11:47 pm.
Yup, hardening WP/WPMU installs always include changing admin username to something else, plus adding the “login error cleanup” plugin and the “login lockdown” plugin and the htaccess thingy
Pingback: links for 2009-07-15 at So It’s Come To This:
Robert (34 comments.) on July 16, 2009 at 11:14 am.
Unfortunately I did not have all of the Ukraine firewalled like I mentioned in my earlier comment.
I’ve just had the same IP address trying to bruteforce my blog 3006 times in the past two hours!
He’s blocked this time around though.
Donncha (1707 comments.) on July 16, 2009 at 11:16 am.
Just to be extra paranoid and annoy the bots, I added a http auth login around wp-login.php on my other VPS. This one uses fastcgi which doesn’t support it unfortunately. (Yes, I could do it in a few .htaccess rules but I don’t have the time to dig into that right now!)
Ashish Mohta on July 16, 2009 at 12:20 pm.
Never knew this was not in the core of WordPress. This is a basic feature of authentication system to block access after 3 wrong attempts.
This SHOULD GO INTO CORE !!!!
Pingback: Protecting wp-config.php files - is it possible? - WordPress Tavern Forum
Piyush Shekhar (1 comments.) on July 16, 2009 at 2:32 pm.
Somebody performed similar attacks on my blog too, a week ago.
Sad.
Pingback: Is your blog protected against brute force attack ? | Svetoslav Marinov's Blog
David Chapet (1 comments.) on July 17, 2009 at 7:24 pm.
It is incredible: today, my blog Journal de Cuba (in french) had been victim of the same attack and by the same IP !!! This idiot from Namibia did 593 unsuccessful attemps to login. This morning I install the plugin, thank you Donncha for the tips.
Melayu Boleh on July 18, 2009 at 7:08 am.
wow! that is very dangerous.
Have to install the plugin immediately to all my wp blog.
thanks for the alert.
fkb on July 20, 2009 at 4:24 pm.
IP Tried to log in as
213.155.4.184 admin (1 lockout)
Same IP at my site. Good i’ve installed Limit Login Attempts when i’ve saw this post.
Thank you Donncha
Adam Pieniazek (2 comments.) on July 23, 2009 at 5:41 pm.
Add this line to your theme’s functions.php file to hide login error messages:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
That way they can’t tell if they got the username or password (or both) wrong.
Vincent Chow (1 comments.) on July 25, 2009 at 1:10 pm.
Guess what? The same guy from the same IP is trying to get into my WordPress too. Detected after installing this plugin.
Pingback: RSS Week #62: letture per il weekend - Matteo Moro
level9 (1 comments.) on July 31, 2009 at 9:19 am.
I had the same issue from 213.155.4.184 hitting me 3,500 times. CPanel also shows this, and allows you to block ips or ip ranges.
Piyush Shekhar (1 comments.) on February 14, 2010 at 9:55 am.
Login attempts shoud be limited to prevent any kind of intrusions.
George (2 comments.) on January 3, 2011 at 2:02 am.
Hi Donncha, I have been using this plugin since you recommended it, and worked fine. Recently, I have been hit by some hacker trying to login simultaneously from multiple IP addresses. This plugin is not so effective in this scenario as each day/time the same clown tries from different addresses, un-stoppable!
Do you ( or anyone else) know of a solution to RESTRICT LOGIN to an IP or IP range, written into .htaccess or something?
I also use your WP Super Cache and Domain Mapping, so it needs be compatible with these too.
Ideas?
George (2 comments.) on January 3, 2011 at 3:01 am.
After further searching, I found a simple solution and would like to share:
http://money.bigbucksblogger.com/blog-security-htaccess-block/
specifically the section titled
“How To protect Your wp-admin File: Very Secure Method.”
It seems to work fine. I can login to my sites from home IP, no worries, and logging in through an online proxy (other IP) results in a 404 not found. Lovely!
What you reckon Donncha, is this method cool?
Donncha (1707 comments.) on January 3, 2011 at 3:04 pm.
Yup, that works. Best thing to do of course is use strong passwords!
George (5 comments.) on January 5, 2011 at 10:58 am.
Nope, it didn’t work. I am still getting hit from various IPs simultaneously. The .htaccess limits entry to directory wp-admin, but they still access wp-login.php. Is /wp-admin still secure from other IP access even though wp-login.php is being hit? or is there a way to limit access to wp-login.php to only my home IP?
Am I safe???
Donncha (1707 comments.) on January 5, 2011 at 11:08 am.
Just make sure you have a strong password and you’ll be fine. You can use similar .htaccess rules to block access to your wp-login.php too.
George (5 comments.) on January 7, 2011 at 12:40 am.
Thanks Donncha. I did it, and get 404 page when accessing thru proxy – other IP, so it should work!
For those wishing to do the same, here it is:
(replace 111.111.111.111 with your IP)
Restrict access to wp-admin by IP:
Make a .htaccess file in directory /wp-admin, and include:
order deny,allow
allow from 111.111.111.111
deny from all
Restrict access to wp-login.php by IP:
Add this to .htaccess file in root directory /public_html:
Order deny,allow
Deny from All
Allow from 111.111.111.111
George (5 comments.) on January 7, 2011 at 12:43 am.
I made mistake, and can’t edit comment.
CORRECTION:
Restrict access to wp-login.php by IP:
Add this to .htaccess file in root directory /public_html:
Order deny,allow
Deny from All
Allow from 111.111.111.111
George (5 comments.) on January 7, 2011 at 12:45 am.
it is changing the code here???
should be:
Order deny,allow
Deny from All
Allow from 111.111.111.111
George (5 comments.) on January 7, 2011 at 12:48 am.
sorry mate, delete the last few comments, everytime I put the code and submit comment, the code changes. email me and I can send the proper code for you to post. funny thing the comment box changes the code completely!