WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] HELP!! Site getting hammered, same IP address (9 posts)

  1. pfarrelli
    Member
    Posted 1 year ago #

    Hi .. I am reposting because I didn't put this request directly into the LSS forum ...
    ----------------------------------------------------

    Hi,

    I am using Login Security Solution plugin. This morning I woke to almost 600 attempts to compromise a clients site via brute force. About 5 a minute.

    All attempts are from the same IP. All password tried are VERY long and seem totally random. The passwords are so long and obscure that it would seem that none could possible work. No idea why they are using such PWs

    Also they were not using Admin as login name but names related to the site. The username used changed a few times and then they eventually got a hold of the CORRECT username is quite obscure. HOW IS THAT EVEN POSSIBLE??

    Also, using .htaccess in my wp-admin folder, I am blocking access to any IP address but three. HOW IS IT POSSIBLE that they can even attempt a login?

    Finally, why is it that LSS is not blocking like it should by creating long delays.??

    I currently have the site shut down so as to stop the attempts.

    Any help would be appreciated.

    P

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    All password tried are VERY long and seem totally random.

    The "passwords" sent in the emails and stored in the database are _hashes_ of the password, not the passwords themselves. This is for security reasons.

    they eventually got a hold of the CORRECT username is quite obscure.

    There are several ways. Many themes have links in the post to view content by that user. Or folks can probe various ID numbers this way: example.com/?author=1.

    Also, using .htaccess in my wp-admin folder, I am blocking access to any IP address but three. HOW IS IT POSSIBLE that they can even attempt a login?

    wp-login.php is in the root directory of the wp install, not the wp-admin dir.

    Finally, why is it that LSS is not blocking like it should by creating long delays.?

    This is covered in this plugin's FAQ.

  3. pfarrelli
    Member
    Posted 1 year ago #

    Thanks so much. I will look into the FAQ. I will also look into IP blocking wp-login.php. I see that is possible.

    Seems to me kind of silly to rename admin account if it is so easy to find what the new account is. Then again, if I make it a REALLY bizarre name and not MyAdminAcct then maybe it will be even more difficult to break in.

    Thanks again and I will chime back in if I have a question.

  4. pfarrelli
    Member
    Posted 1 year ago #

    I do have a few questions.

    Is there a way to see the passwords attempted?

    My attack went on for HOURS. The longest delay in LSS is 60 seconds (tier 3). Is there a way to make it like 5 minutes when it is an obvious attack??

    I was getting up to 5 emails a minute with each email sent after 5 failed attempts. If the delay is tier 3, 25-60 seconds after 10 attempts, shouldn't the login attempts have been limited to just two a minute max after ten failed attempts if those were inside 120 minutes?

    Are there any known issues with IP blocking wp-login file?

    Thanks again.

  5. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Is there a way to see the passwords attempted?

    No. Storing clear text passwords is a bad, bad idea.

    shouldn't the login attempts have been limited to just two a minute max after ten failed attempts

    As mentioned in the FAQ, the attacker is using multiple threads to make the attempts. The slowdown makes each thread go slower.

    Are there any known issues with IP blocking wp-login file?

    Should be okay.

  6. pfarrelli
    Member
    Posted 1 year ago #

    DOH! Yes . .. multiple threads .. forgot .. Read that elsewhere also. Thanks ..

  7. pha3z
    Member
    Posted 1 year ago #

    Dan,

    Have you considered adding a theme option to block non-administrative users from viewing any information that might relay details about user information? A lot of WordPress sites have no need of this functionality. example: block the following:

    example.com/?author=1

    which shows the Archives page.

    - Jim

  8. pha3z
    Member
    Posted 1 year ago #

    Nevermind on the post above. Totally moot. After I looked into the issue, I've got a way better appreciation for what's going on.

  9. pha3z
    Member
    Posted 1 year ago #

    Content deleted.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.