WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Stopped recording IP in database? (9 posts)

  1. cdrak0715
    Member
    Posted 1 year ago #

    I can see in the website log that there have been attempts to access wp-login.php, but the IPs aren't listed in the wp_login database. Any ideas?

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    LSS failure tracking gets stored the wp_login_security_solution_fail table.

  3. cdrak0715
    Member
    Posted 1 year ago #

    Sorry, I'm afraid my original post wasn't clear. I can see attempts in the latest visitor logs from my hosting service, but I don't see them recorded in wp_login_security_solution_fail. There's a gap in the records. Some attempts did get recorded later in the day, but it's odd that some were skipped. The only thing I can think of is that whoever found the log in page, didn't try to log in which is weird, but it's the only thing that makes sense.

    On the bright side, it looks like there hasn't been an attempt since yesterday afternoon (around 3pm EDT), so maybe they're taking the hint!

  4. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    In your web server access logs, were the requests HTTP POST or GET? If it's GET, then it's just the page being loaded. If it's POST, then it's probably an auth request.

  5. cdrak0715
    Member
    Posted 1 year ago #

    Not clear from the log. This is what I'm seeing. This IP wasn't recorded in wp_login_security_solution_fail.

    Host: 41.220.166.15
    /wp-login.php
    Http Code: 200 Date: Jun 14 02:57:59 Http Version: HTTP/1.0 Size in Bytes: 3117
    Referer: -
    Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0

  6. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    You're looking at some user interface. You'll need to SSH into the server and look at the raw logs.

  7. cdrak0715
    Member
    Posted 1 year ago #

    Yes, I'm looking at it through CPanel.

    Anyway, I'm really confused now. I got a bunch of email alerts about being under attack, but when I lookup the IPs in wp_login_security_solution_fail I only see a few hits for the IPs reported in the emails.

    Example, I got this email

    Component                    Count     Value from Current Attempt
    ------------------------     -----     ---------------------------
    Network IP                       1     188.135.15
    Username                        50     admin

    If I run the following SQL statement:
    SELECT * FROMwp_login_security_solution_failwhereiplike '188.135.15%'

    I get this result:

    fail_id   ip            user_login    date_failed
    2908      188.135.15.64 admin         2013-06-16 06:19:43
    3161      188.135.15.64 administrator 2013-06-16 06:31:01
  8. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Examine the "Count" column in the email. It shows there was only one hit for the Network IP but 50 for the Username.

    Please note, the email shows the data for the attempt that takes you over the reporting threshold. To show the exact data set in question you'd need to use all three data points in the query's WHERE clause: Network IP, Username and Password MD5. Putting only one or two items in the WHERE clause will produce different results.

  9. cdrak0715
    Member
    Posted 1 year ago #

    Thanks for the clarification, explanation and patience. Much clearer now. It seems to me the attempts have slowed since I installed this and that makes me very happy.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.