Installed WordPress Simple Firewall and it put a stop to it. I don’t understand why my host said nothing was showing up in their side, showing that the attempts were being made. Glad I have WF installed and let me know this was happening.
Using the Wordfence firewall, you can immediately block invalid usernames that you see with frequency in your logs.
Just add the usernames, separated by a comma, to: Options- Login Security Options – Immediately block the IP of users who try to sign in as these usernames
You can also use this section to block failed attempts after n number of failed logins. I find if you set this to 3 failures over a 10 minute period, the lockout period usually puts a stop to any repeated attempts by that IP address.
It doesn’t help when every attempt is a different IP.
No firewall can block an IP address until it either a) attempts to login using a blacklisted username or b) it breaks the firewall rules by the specified number of failed login attempts in the specified period of time.
It’s great that you have have resolved this issue by installing the WordPress Simple Firewall, but my point is that the Wordfence firewall when set up correctly offers the same functionality.
Similar problem started late yesterday. Had Wordfence set to send email notifications on attempted login with invalid user name. Hundreds of attempts with same invalid user name, all from different IP’s. Wordfence sent the email notifications as it was set to do. Hundreds of them in a short period of time. Triggered Network Solutions to suspend the hosting package due to too many emails from FormMail script. Currently trying to get site reactivated, very slow and frustrating process with Network Solutions. Plugin did what it was supposed to, Network Solutions does not differentiate or notify prior. Ironic that a security protection ended up causing a problem. Would be better if hosting provider appreciated our use of the Wordfence security plug-in and differentiate, so as to allow an adjustment to the plugin options before shutting down a hosting package with many sites. Just my opinion, I could be wrong.
So Wordfence will completely shut down the login preventing anyone from even being able to access it except for me? I don’t think they offer that protection do they? Even the htaccess hacks were not working for me, where only my IP can access the login/admin.
The attempts triggered Wordfence to send notification emails to me, as I had it set to do that. Unfortunately, there were hundreds of attempts using a blank user name each one from a different IP address. To Wordfence they were all different attempts. Wordfence did what it was supposed to and sent an email notification, hundreds of them. Our host then shut down the entire hosting package stating that it was due too many emails from a formmail script. That being the Wordfence security plugin. Although, the host does not help identify the problem in any way, nor did they give any warning. Site still down until they review my request to reactivate after deleting Wordfence. Only way I can access is by FTP. Short answer though, Wordfence does not have that capability.
CBFSHC, there’s an option to turn that off in options (notifications.) I had to after a while and just monitored the live view logins. I was getting an email every 30 seconds, if I had kept it on I would still be getting them, 24 hours later.
The “test” username and blank username was turned into my domain name, so it looks like real bot attack and not just weird errors in any case.
Thanks for the info. When I regain access I will uncheck that option.
Can you explain further -The “test” username and blank username was turned into my domain name-. They changed your domain name? Did they gain access to your site?
I received over 515 notifications in less than 30 minutes from Wordfence. It seems shortly after that the Host shut the site down.
I meant they used the name of my domain as the username to try to login, not that they changed it. I really recommend using Wordfence to continue monitoring your site (I’ve been using it for well over a year) in addition to the WordPress Simple Firewall (not affiliated) both have helped with monitoring and protecting against bots.
Thanks for the advice, I will look into WSF also. Do you still use the Firewall in Wordfence along with WSF?
Yes, I use both together including the Firewall options in WF.
Aptharsia, everything was reactivated earlier this morning. I have looked at and installed WSF on our test site. Your advice on setup of WSF with Wordfence and your thoughts on Wordfence Firewall parameters will be greatly appreciated. Thanks for the tip!
It’s something you’ll have to play with the settings with for both, different sites have different needs. With WSF I’m using the Login Protection but when a bot attack happens I turn on the Firewall. I have a lot of users that require using the wp-login so when the Firewall is turned on in WSF no one but me can login (approval by IP address.)
Thanks – appreciate the info!
