Login Alerts

  • Resolved niccol

    (@niccol)


    8 years, 8 months ago

    Can someone help me work out how Wordfence calculates multiple failed logins.

    I have a site that has an htaccess password on wp-admin. You can’t reach login without those credentials. I am still getting alerts such as:

    A user with IP address 59.51.146.217 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘###########’
    User IP: 59.51.146.217
    User hostname: 59.51.146.217
    User location: Guiyang, China

    That presumably means that they are managing to get around the htaccess password. Is that correct?

    thanks

    Nick

Viewing 2 replies - 1 through 2 (of 2 total)
  • Caleb

    (@crudhunter)

    8 years, 8 months ago

    An htaccess file in (or controlling) the /wp-admin directory will not affect standard logins, only access to scripts with a path within the /wp-admin directory.

    It will not affect logins, because the /wp-login.php file is located in the root of your site. See it by logging out and trying to log in again. Watch the URL path.

    If you really wanted to have two-level access control on all your logins, you could add htaccess permissions to load the wp-login.php file. Then first the web-server would ask you one login to access /wp-login.php (stopping the WP login hacker scripts at the door), and then afterwards the actual WordPress login would appear.. Quite painful. 🙂

    wfalaa

    (@wfalaa)

    8 years, 8 months ago

    Hi Nick,
    What was mentioned by Caleb is correct, I would like to add that half of brute-force attacks come through xmlrpc.php, so protecting wp-login.php in such a way won’t prevent these attacks completely. Instead, I recommend adjusting “Login Security Options” making it more restricted.

    In general, it’s not a good idea to limit access to “/wp-admin” as it contains admin-ajax.php file which is used by many plugins/themes, this limitation could break these themes/plugins.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Login Alerts’ is closed to new replies.