Also it happens after I’ve logged in to work on my site. Then later I will get the email as stated above. No I’ve never made a mistake when logging in…so it’s not from me putting incorrect user and password info.
Plugin Contributor
johanee
(@johanee)
Make sure you have correct setting for reverse proxy.
If your site is behind a reverse proxy on the same computer (if you use Varnish for example) it will appear that all login attempts are from the server IP.
Please check the information in the site connection option on the plugin settings page.
(There shouldn’t be any passwords in the notification email, I guess you mean “last user attempted”)
Hi Johanee,
Thanks for the reply…yes I meant “last user attempted” I will check as suggested.
Thank you…great plug in…do you have a site for donations?
I’m getting the same thing on my site, but I’ve only had it occur once. I’m using “Simple Login Log” and noticed this yesterday. The username was 123123123123123, IP was my server, and user agent was WordPress/3.2.1; https://www.mydomain.org
It was a failed login, but only 1 and didn’t trigger a lockout like PositiveMostOfTheTime experienced.
Reverse proxy settings are correct.
Plugin Contributor
johanee
(@johanee)
Ok, interesting. I’ll investigate this further.
I assume the site is not behind a reverse proxy on the same server?
Do you use HTTPS for the whole site, or only for login / admin?
I do not actually think it is possible to spoof a HTTP connection using the target IP, so the login attempt is probably made from the server itself.
Is it a shared server?
Ok, interesting. I’ll investigate this further.
I assume the site is not behind a reverse proxy on the same server?
I don’t believe so, most IPs are correct in the log and it is detected as a direct connection by the plugin. I’m on the Dreamhost cheapo package and to my knowledge it is not a reverse proxy connection. Wouldn’t the entire log be the server’s IP if it was a reverse proxy and misconfigured?
Do you use HTTPS for the whole site, or only for login / admin?
The full site, using “WordPress HTTPS” plugin
I do not actually think it is possible to spoof a HTTP connection using the target IP, so the login attempt is probably made from the server itself.
Is it a shared server?
Yes
Plugin Contributor
johanee
(@johanee)
Yeah, probably no proxy we need to be concerned about.
Is it shared IP hosting? Meaning you’ll probably have a shared SSL for example.
Plugin Contributor
johanee
(@johanee)
Do you have access to web server logs?
Could you find (grep) for “wp-login.php”?
SSL cert is private.
I can get access.log files, what specifically should i look for there?
Here’s everything that happened during the time of that login fail:
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:22 -0800] "POST /wp-login.php HTTP/1.0" 200 5443 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:22 -0800] "GET /?flnh3vwodn4nk8ny0fg4z52kh22kvw1rxjojri9h4qv4cchqd9eval(6kz6ppvuwerpohz3goze86cldgemku08ignzb5qcbd8ciakz9j HTTP/1.0" 403 3726 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:23 -0800] "GET /?ywolbotwzybj3pxjmc310h9ula5ckukjyc2z55dthpkf33uzo3base64(w0cp67rhxj0po0nyttg0x786wsydiesd3b4giku1bk3nw7jgc8 HTTP/1.0" 403 3726 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:23 -0800] "GET /wp-content/uploads/ HTTP/1.0" 302 3966 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:23 -0800] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2Fwp-content%2Fuploads%2F&reauth=1 HTTP/1.0" 200 1819 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:24 -0800] "GET / HTTP/1.0" 302 3950 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:24 -0800] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2F&reauth=1 HTTP/1.0" 200 1819 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:24 -0800] "GET / HTTP/1.0" 302 3966 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:25 -0800] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2F&reauth=1 HTTP/1.0" 200 1819 "-" "WordPress/3.2.1; https://www.mydomain.com"
xxx.xxx.xxx.xxx being the IP of the server at that time
