Title: Brute Force attack? Last modified: August 22, 2016 --- # Brute Force attack? * Resolved [FrankBukowski](https://wordpress.org/support/users/frankbukowski/) * (@frankbukowski) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/) * Hi I run the free Wordfence, and I also have the Sucuri plugin. Over the last few days the Sucuri plugin has been alerting me to multiple failed login attempts. Typically I’ll get a dozen failed logins all at the same time (e.g. 7.52pm), but they’re all from different IP addresses, from different locations around the world. But when I look in the blocked IPs page of Wordfence, they’re not showing up in IPs that are blocked, locked out or throttled. Short of copying every individual IP address from the 100 or so that Sucuri says have tried and failed to login, and pasting them one at a time into the ‘Manually Block’ box on Wordfence, can anyone advise on a better solution? Thanks * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) Viewing 11 replies - 1 through 11 (of 11 total) * [WFSupport](https://wordpress.org/support/users/wfsupport/) * (@wfsupport) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444423) * Hi * What function is Sucuri providing? If they are providing firewall functionality, they might be blocking them from showing up because they act as a go between between your site and the internet. * tim * Thread Starter [FrankBukowski](https://wordpress.org/support/users/frankbukowski/) * (@frankbukowski) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444458) * Hi Tim I use Wordfence as my main security plugin, including the Wordfence firewall. I installed Sucuri just as a backup ‘monitoring’ plugin, as it has a Malware scanner and a few other ways of alerting you when someone is trying to get in to your site. But I don’t use their firewall. Cheers Frank * [WFSupport](https://wordpress.org/support/users/wfsupport/) * (@wfsupport) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444470) * I’ve got their monitoring plugin on a site I started managing, along with Wordfence. I’ll take a look and see if I see the same behavior. I’ve never really paid that close of attention before since they seem to both be doing their job. Interesting. * tim * Thread Starter [FrankBukowski](https://wordpress.org/support/users/frankbukowski/) * (@frankbukowski) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444563) * Cheers Tim * The Sucuri author got back to say the ‘same time’ alerts could be due to my host server saving them up and sending them through in packets, which sounds about right. * However, in the two days since I posted, I’ve had about another 150 alerts of failed login attempts from Sucuri. Because I’ve set Sucuri to only warn me of 5 alerts max per hour, I only get 5 an hour, but it’s clear if I took that setting off I’d be getting fifty or sixty an hour, as they’re timed every few minutes. * The scary thing is they all come from different IP addresses, and there doesn’t seenm to be much pattern to the ‘ranges’ of the addresses either, which makes it almost impossible to manually block them all. Feels like someone’s infected a bunch of computers and is using them to target me, but as I say I’m no expert. * I’ve also had two Wordfence alerts in the last couple of days saying someone had triggered my set number of login failures, so it seems like someone is trying hard to hack my site. God knows why, there’s nothing really of value in it. * THE WORDFENCE ALERTS I GOT WERE: * A user with IP address 23.253.90.79 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: *. The last username they tried to sign in with was: ” User IP: 23.253.90.79 * A user with IP address 166.78.169.147 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: *. The last username they tried to sign in with was: ” User IP: 166.78.169.147 * AND THE SUCURI ALERTS WITH IP ADDRESSES, JUST FROM TODAY SO FAR, ARE BELOW: * Any ideas or suggestions would be much appreciated. * Cheers * Frank * Sucuri Failed login alerts received November 5, from midnight up until 4.32pm: * November 5, 2014 12:43 am IP Address: 36.75.54.16 November 5, 2014 12:43 am IP Address: 79.180.112.114 November 5, 2014 12:50 am IP Address: 175.195.10.157 November 5, 2014 12:52 am IP Address: 145.2.231.243 November 5, 2014 12:58 am IP Address: 199.180.114.226 November 5, 2014 2:00 am IP Address: 121.188.127.170 November 5, 2014 2:02 am IP Address: 82.33.1.94 November 5, 2014 2:15 am IP Address: 96.43.177.52 November 5, 2014 2:17 am IP Address: 112.217.227.226 November 5, 2014 2:21 am IP Address: 121.58.237.34 November 5, 2014 3:24 am IP Address: 61.214.204.157 November 5, 2014 3:33 am IP Address: 1.9.152.236 November 5, 2014 3:49 am IP Address: 210.195.218.244 November 5, 2014 3:52 am IP Address: 109.65.9.37 November 5, 2014 3:54 am IP Address: 175.140.246.73 November 5, 2014 4:55 am IP Address: 41.251.157.91 November 5, 2014 5:11 am IP Address: 37.76.205.90 November 5, 2014 5:13 am IP Address: 124.105.43.181 November 5, 2014 5:14 am IP Address: 223.25.16.199 November 5, 2014 5:17 am IP Address: 129.93.64.96 November 5, 2014 6:39 am IP Address: 180.250.68.234 November 5, 2014 6:43 am IP Address: 41.251.157.91 November 5, 2014 6:55 am IP Address: 41.100.254.104 November 5, 2014 7:08 am IP Address: 213.204.101.37 November 5, 2014 7:11 am IP Address: 122.128.233.223 November 5, 2014 8:13 am IP Address: 87.68.38.212 November 5, 2014 8:19 am IP Address: 182.183.161.162 November 5, 2014 8:23 am IP Address: 112.198.36.9 November 5, 2014 8:28 am IP Address: 194.224.254.178 November 5, 2014 8:33 am IP Address: 85.65.3.186 November 5, 2014 9:36 am IP Address: 119.47.90.35 November 5, 2014 9:51 am IP Address: 37.48.87.44 November 5, 2014 9:54 am IP Address: 1.9.152.236 November 5, 2014 9:58 am IP Address: 91.105.23.211 November 5, 2014 10:03 am IP Address: 181.188.64.42 November 5, 2014 11:03 am IP Address: 197.148.1.37 November 5, 2014 11:11 am IP Address: 86.124.13.252 November 5, 2014 11:15 am IP Address: 129.93.64.96 November 5, 2014 11:18 am IP Address: 120.28.125.3 November 5, 2014 11:18 am IP Address: 109.77.87.176 November 5, 2014 12:22 pm IP Address: 1.236.157.117 November 5, 2014 12:23 pm IP Address: 219.92.251.70 November 5, 2014 12:25 pm IP Address: 78.8.143.158 November 5, 2014 12:28 pm IP Address: 213.198.212.36 November 5, 2014 12:34 pm IP Address: 151.236.247.200 November 5, 2014 1:43 pm IP Address: 126.74.214.170 November 5, 2014 1:43 pm IP Address: 78.157.1.218 November 5, 2014 1:44 pm IP Address: 46.117.111.30 November 5, 2014 1:47 pm IP Address: 213.8.41.250 November 5, 2014 1:53 pm IP Address: 176.106.203.177 November 5, 2014 2:55 pm IP Address: 78.30.191.224 November 5, 2014 3:03 pm IP Address: 175.205.12.9 November 5, 2014 3:06 pm IP Address: 79.180.165.165 November 5, 2014 3:08 pm IP Address: 79.46.59.129 November 5, 2014 3:15 pm IP Address: 41.218.113.146 November 5, 2014 4:19 pm IP Address: 88.132.159.6 November 5, 2014 4:19 pm IP Address: 77.127.222.129 November 5, 2014 4:28 pm IP Address: 121.58.237.34 November 5, 2014 4:27 pm IP Address: 207.86.232.19 November 5, 2014 4:32 pm IP Address: 82.192.41.227 * Thread Starter [FrankBukowski](https://wordpress.org/support/users/frankbukowski/) * (@frankbukowski) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444564) * Oh yeah and the Sucuri author said it may be a Sucuri bug and he’d look into it and get back to me. * Also, I get the occasional warning from Sucuri that files have been modified, often it’s just my caching plugin doing stuff. But I noticed it said the following wordfence related files had been modified at 9.44am this morning. Would that have been my caching plugin too? * wp-content/plugins/wordfence/js/admin.js (old size: 67935; new size: 69472) wp-content/plugins/wordfence/lib/menu_options.php (old size: 49808; new size: 50637) wp-content/plugins/wordfence/lib/wfConfig.php wp-content/plugins/wordfence/ lib/wordfenceClass.php wp-content/plugins/wordfence/lib/wordfenceConstants.php wp-content/plugins/wordfence/wordfence.php wp-content/wfcache/www.frankbukowski. com_/~~~~_wfcache.html * [WFSupport](https://wordpress.org/support/users/wfsupport/) * (@wfsupport) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444595) * Most likely that was from our update. I’m not sure how they monitor files. We monitor against the official version in the wordpress repository. They may just be looking at if a file changed on your server. * tim * Thread Starter [FrankBukowski](https://wordpress.org/support/users/frankbukowski/) * (@frankbukowski) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444618) * Hi Tim * Thanks for reassuring me on the Wordfence update. * I have a quick question about the two-stage authentication, when signing up for the Premium version. The peace of mind it would give is obvious. But if I’m logging on to my wordpress site from my regular PC at home, with a fixed IP address, would it still require cell-phone login every time? That could become tiresome. Or does it have a setting that only requires cell-phone authentication if logging on from some other computer/location/ip address? * If it has that functionality I’d be really interested in signing up to the premium version. * Cheers * Frank * Plugin Author [Mark Maunder](https://wordpress.org/support/users/mmaunder/) * (@mmaunder) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444619) * You require cellphone auth every time you sign in unless you whitelist your IP address. However unless you’re sure you’re on a static IP address we don’t recommend doing this. * [http://docs.wordfence.com/en/Wordfence_options#Whitelisted_IP_addresses_that_bypass_all_rules](http://docs.wordfence.com/en/Wordfence_options#Whitelisted_IP_addresses_that_bypass_all_rules) * Regards, * Mark. * Thread Starter [FrankBukowski](https://wordpress.org/support/users/frankbukowski/) * (@frankbukowski) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444622) * Hi Mark * I know I’ve definitely got a static IP address as I pay my ISP extra for it. So I’ve already whitelisted it in my Wordfence settings. If that means I shouldn’t need cellphone author every time I sign in from this IP/computer, that’s cool. Thanks. * Frank * Plugin Author [Mark Maunder](https://wordpress.org/support/users/mmaunder/) * (@mmaunder) * [11 years, 6 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444625) * You’re welcome. * Regards, * Mark. * [Domingo F](https://wordpress.org/support/users/domingo-f/) * (@domingo-f) * [11 years, 5 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444640) * Hi , This is coming to my email frequently . * Subject: Failed Login Login Info: Time: 20 noviembre, 2014 14:35 Website Info: Site: [http://www](http://www). .com IP Address: 87.244.144.242 * Notification: User authentication failed: adminExplanation: Someone failed to login to your site. If you are getting too many of these messages, it is likely your site is under a brute force attack. You can disable the notifications for failed logins from here. More details at Password Guessing Brute Force Attacks. Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘Brute Force attack?’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [brute force attack](https://wordpress.org/support/topic-tag/brute-force-attack/) * 11 replies * 4 participants * Last reply from: [Domingo F](https://wordpress.org/support/users/domingo-f/) * Last activity: [11 years, 5 months ago](https://wordpress.org/support/topic/brute-force-attack-7/#post-5444640) * Status: resolved