Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.
I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:
I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.
PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)
if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}
If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos and funny videos to explore too!
This is the personal blog of Donncha O Caoimh, Irish WordPress developer and sometimes Photographer.
I’d agree, Limit Login Attempts is on my “standard” list of plugins to install.
If possible, I’ll further protect the login and admin areas with HTTP authentication to stop this kind of hammering attack before it even gets to Wordpress.
Some dude had a go at one of my sites the other day as well. I killed him with htaccess. This looks cool though, I will look at installing it.
never tot of it! thanks for the info
Its better to change the default username to something else then admin, that should the trick.
Another vote for adding this to WP core!
Thx for this plugin.
This one should be in basic WP install. It’s really handy.
BTW
What plugin do you use for
*Notify me of followup comments via e-mail?
Thanks
Check this http://txfx.net/code/wordpress/subscribe-to-comments/.
So doesn’t this mean that you’re emailing yourself your username and password every time you log in? That seems like a security risk that’s much more likely to be exploited than someone guessing your password at random.
Yup, that’s true but I don’t hit wp-login.php very often so I don’t worry about it.
Yeah, not only that, when any php script is accessed, you get an email. It would be great if this could work for Wordpress only.
It’s a dead simple script so it’s really easy with a bit of editing to limit when it sends those emails.
I just block everything from the Ukraine as well as a few other countries. It’s a drastic measure but none of my websites are aimed at those countries anyway.
It’s been unbelievable how much it has reduced all the various crack attempts. Naturally such a measure won’t suit everyone though.
You block entire countries from accessing your website because you have some problems with crackers and spammers?
Nothing on my website is “aimed at those countries” either, but I would never dream of such drastic and completely unnecessary measures. You seriously need to re-evaluate your approach there Robert.
Probably not suitable for everybody. I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.
yes thats still not the best way to deal with it
Actually, the IP filter works like a charm. I’ve been doing that for a year.
Stupid question alert:
How can I do this:
I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.
TIA!
Cortney
Another idea is to edit your wordpress database and change the admin username from “admin” to something else. I have done that for my school district’s web site as well as local school sites. So, even if someone happens to know the password, they’ll toss and turn to figure out the username. Then, limit login will hammer it down!
Thanks for the tip. I went and installed a similar plugin (Login Lockdown) after reading this. I’ve also done what Patrick suggested, and deleted the “admin” user after setting up another admin account with a different name.
Thanks for the heads up and for sharing this useful information!
Btw, I’ve been using a WP plugin called Login Lockdown that can limit a number of unsuccessful login attempts (brute force attacks), I guess it works just like or has the same concept as the Limit Login Attempts plugin that you’re using.
Thanks for the tip Donncha! Using the plugin now
Hi
Could you go into some more detail regarding the logging of the failed login attempts. I would be interested in knowing if this is happening to me also.
Thanks
Will
Will – just put that code into a file and make sure it’s included. WordPress has a “myhacks” function you could use. (Google it, I don’t have a url at hand)
Cheers Donncha, I’ll look into it further.
Great tip, this should be a default plugin for any Wordpress user
[...] publica un interesante artículo en el que nos cuenta un problema que muchos hemos [...]
You might also want to check out my Login Error Cleanup plugin. It doesn’t tell a user if they got the username or password wrong when they try to login. http://www.planetmike.com/plugins/lec/
where does this plugin store the failed logins? mysql?
i wrote something a while back that limits logins much like this but using eaccelerator.
Thanks for this tip. I isntall this plugin to my media blog.
Wow, great plugin. fast instal and simple to use. I could write to my media blog of this plugin. Sorry, poor English.
Brute force protection should be a standard feature of WordPress if you ask me!
I use Login Lockdown, which accomplishes pretty much the same thing — not sure which plugin is better, since I haven’t tried Limit Login Attempts.
Login Lockdown is in my list of standard plugins to use on every WP install. Very similar functionality to Limit Login Attempts from the looks of things.
We should add something like this to core IMO. It’d improve security across the board.
[...] reading about Donncha’s experiences with the Limit Login Attempts plugin I decided it would be a good idea to implement it on my blog. [...]
It should indeed be core, isn’t really a massive feature but sure as hell works. Thanks for the plugin link.
Yup, hardening WP/WPMU installs always include changing admin username to something else, plus adding the “login error cleanup” plugin and the “login lockdown” plugin and the htaccess thingy
[...] Why you should limit login attempts (tags: wordpress security advice howto plugin) [...]
Unfortunately I did not have all of the Ukraine firewalled like I mentioned in my earlier comment.
I’ve just had the same IP address trying to bruteforce my blog 3006 times in the past two hours!
He’s blocked this time around though.
Just to be extra paranoid and annoy the bots, I added a http auth login around wp-login.php on my other VPS. This one uses fastcgi which doesn’t support it unfortunately. (Yes, I could do it in a few .htaccess rules but I don’t have the time to dig into that right now!)
Never knew this was not in the core of Wordpress. This is a basic feature of authentication system to block access after 3 wrong attempts.
This SHOULD GO INTO CORE !!!!
[...] In this situation, having a secure password and doing something to limit login attempts (per the recent post on the subject) is probably better (in terms of convenience, not security) than using an IP based access denial [...]
Somebody performed similar attacks on my blog too, a week ago.
Sad.
[...] Donncha O Caoimh's posting has 2 really good ideas. [...]
It is incredible: today, my blog Journal de Cuba (in french) had been victim of the same attack and by the same IP !!! This idiot from Namibia did 593 unsuccessful attemps to login. This morning I install the plugin, thank you Donncha for the tips.
wow! that is very dangerous.
Have to install the plugin immediately to all my wp blog.
thanks for the alert.
IP Tried to log in as
213.155.4.184 admin (1 lockout)
Same IP at my site. Good i’ve installed Limit Login Attempts when i’ve saw this post.
Thank you Donncha
Add this line to your theme’s functions.php file to hide login error messages:
add_filter(’login_errors’,create_function(’$a’, “return null;”));
That way they can’t tell if they got the username or password (or both) wrong.
Guess what? The same guy from the same IP is trying to get into my WordPress too. Detected after installing this plugin.
[...] Why you should limit login attempts [...]
I had the same issue from 213.155.4.184 hitting me 3,500 times. CPanel also shows this, and allows you to block ips or ip ranges.