Actually, It happened after installing sucuri. I want to know what is this?
It’s hard to say without knowing a bit more about your website.
The order in which the information is listed in the table (taking in consideration the amount of time since the session started) tells a little bit of the story, but this is still speculation:
- Someone logged in from
162.216.19.183 using an unknown software,
- At the same time, someone from
2600:3c03:0:0:f03c:91ff:fedb:9602 logged in using the same credentials and an unknown software as well,
- 7 seconds after, the first user logged in again without logging out first, this time using a software with the Microsoft Internet Explorer user-agent, WordPress is responsible for killing previous cookies when a new session is started, I don’t know why it didn’t happen this time,
- Something similar happened with the second user, they logged in using a software disguising as the Safari web browser from macOS, 8 seconds after the initial session was created, and same as the other user WordPress didn’t expire the previous cookies,
- This process, with the second user, was repeated three more times 9, 11 and 30 seconds after the original session started using an unknown software, then something behaving like Google Chrome and finally using something behaving like Microsoft Internet Explorer, respectively.
Thinking about it, and taking a wild guess, I would say that someone or something (like an automated software) was checking leaked credentials with different user-agents to see if the website behaves in a different way.
However, both IP addresses 162.216.19.183 and 2600:3c03:0:0:f03c:91ff:fedb:9602 are associated with the web malware scanner that Sucuri SiteCheck uses. I don’t know why is it triggering a login report in your website. I will talk with the maintainer of the code and will update this ticket when I have more information.
Thank you for your patience.
Sorry, It is the list of visitors. Not logged in users.
So what you said is ok.
But I have a new problems.
1) Some one tried to access /wp-admin.php again and again.
2) I blocked such country ips and changed wp-admin.php
3) Then Now he is accessing my website again and again(778 Visits in a day with 300 different ips). Why he is doing like this?
4) Moreover this data cannot shown in Google analytics.
Please give me a suggestions.
Thank U!
Dealing with automated login attempts is a problem that WordPress websites will face forever, as long as there is a reachable login form. You can read more about the subject of brute force password attacks here [1][2][3].
Marking as resolved, let me know if you need more information.
[1] https://sucuri.net/website-firewall/stop-brute-force-attacks
[2] https://kb.sucuri.net/definitions/attacks/brute-force/password-guessing
[3] https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.html
Actually, I have loggers. They are not showing any incorrect login attempts.
Hacker : Visited wp-login.php again and again.
Me : Moved wp-login to another.
Hacker : Visited home page again and again.
Me : Temporarily, stopped access in other countries.
Side by side, He is searching for a file that can upload something.
/plugins/blaze-slide-show-for-wordpress/js/swfupload/js/upload.php
and uplodify upload.php
But I have not having any of these files.
Moreover, He is simply visiting again and again with different ips.
What is his target? What is he TryIng?
Any guess or suggestion PLS!
Thank U!
What is his target? What is he TryIng?
You said that they are visiting your login page, we can guess that they want to log into your admin panel. Then you mentioned that they are trying to locate a file that is commonly used to upload other files into the website, we can guess that they want to upload a malicious file. Changing their IP address is just their attempt to circumvent any blocking that you may or may not be exercising.
To be honest, I wouldn’t be worried about them. I have seen websites receive millions of attacks per day, it’s not uncommon. They will keep trying different things until either a vulnerability is found or they get bored and move onto a different target.
What you can do is to make sure that they don’t get access to sensitive data nor to private parts of the website. It doesn’t matter if they are hitting your login or upload scripts thousands of times per second, as long as you keep the security of your website on shape. If you are concerned about the bandwidth consumption, you can block them, but they will simply change their IP address, your only option may be just to put a firewall in front to filter all the bad traffic.
Ask your hosting provider to see if they offer some sort of security services that you can buy to increase the security of your website. Or try one of the security services offered by different companies online [1][2][3].
Let me know if you need more information.
[1] https://www.akamai.com/uk/en/resources/waf.jsp
[2] https://sucuri.net/website-firewall/
[3] https://www.cloudflare.com/waf/
