WordPress.org

Forums

Wordfence Security
Ddos login attempts using username '' (11 posts)

  1. webdevvt
    Member
    Posted 1 year ago #

    Yes that is a blank user name in single quotes and no way to block it using the common names comma separated string. Tried using a double comma in the string but it was edited out. Login attempts are coming hot and heavy forcing me to shut down the site since I cannot access it or login to the back end. Below is an example email from an attempted login.

    A user with IP address 200.77.208.178 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username '' to try to sign in.
    User IP: 200.77.208.178
    User hostname: 200.77.208.178.cable.dyn.cableonline.com.mx

    Any help blocking this is greatly appreciated.

    https://wordpress.org/plugins/wordfence/

  2. webdevvt
    Member
    Posted 1 year ago #

    I can log in to the site after briefly taking it offline, but have no current fix. Once the common culprits like admin and administrator were eliminated, the attack moved on to the blank user login attempt. There are enough login attempts to slow or stop the site and has been ongoing for the past 2 days

  3. Matt
    Member
    Posted 1 year ago #

    If their attempts are coming from similar IPs/the same hostname, you can try adding a rule/rules in your .htaccess

    http://www.inmotionhosting.com/support/website/security/block-unwanted-users-from-your-site-using-htaccess

    If it looks to be multiple people/groups this won't be as good a solution, but should help against repeat offenders

  4. Fred
    Member
    Posted 1 year ago #

    I'm having a similar issue. A botnet is attempting log-ins with empty usernames. So far, over 1800 in the last 12 hours, all from different IPs. The problem is that even though I have maximum emails per hour set to 1, and I have added .htpasswd to wp-login.php, WordFence keeps sending an email every time another bot fails to log in as ''.

  5. webdevvt
    Member
    Posted 1 year ago #

    I would like wordfence to automatically add these ips to the deny list but there is no way to add a blank user name to the list, or just default deny the user name, preferably, both

  6. Fred
    Member
    Posted 1 year ago #

    Agreed. Also, I'm not sure why .htpasswd isn't keeping the bots at bay. Are they hitting a different URL than wp-login.php to trigger the Wordfence alerts?

  7. mas90guru
    Member
    Posted 1 year ago #

    Same issue on my site - this has been ongoing from about the last 7 days. One way I was able (I think) to partially resolve is by blocking all foreign IP addresses (we do all of our business with North American companies so blocking foreign traffic is not a concern for us at all).

    This is just a very constant stream of attempted logins and so far it's only impacting one of our sites.

    Performance has not yet been impacted and I can login and modify the site as needed. I am having wordfence auto ban any IP that attempts to login with a non-existent name. The issue is that every login is using a unique IP so this is not a super effective means to stop the problem.

    The only semi-answer I've found is blocking foreign IPs and so far that has done nothing to reduce the amount of North American attemps.

  8. Fred
    Member
    Posted 1 year ago #

    Update: They are attempting to log in via xmlrpc.php, not wp-login.php (check your apache access logs).

  9. mas90guru
    Member
    Posted 1 year ago #

    Too bad some of these ISPs don't work a deal with Wordfence to get a list of the IP addresses that have been auto-banned from login. Surely that list would be 99.9% compromised mom and pop computers that should be taken off the Internet.

  10. Fred
    Member
    Posted 1 year ago #

  11. sdayman
    Member
    Posted 1 year ago #

    As I've posted in other threads, I usually resort to using .htaccess to only allow access to wp-login.php from a few trusted IP addresses.

    As for the xmlrpc.php attack, that's not a login attempt. It's more of a DDoS. Lots of hits from Google on the issue. For this you can:
    1) If you need trackbacks and ping backs enabled, then check your access logs for the UserAgent hitting xmlrpc. It's probably not a mainstream (or even valid) user agent you can block via Wordfence's Advanced Blocking feature.
    2) If you don't need trackback and ping, use .htaccess to deny access to xmlrpc.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Wordfence Security
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.