WordPress.org

Support

Support » Plugins and Hacks » Wordfence Security » Ddos login attempts using username ''

Ddos login attempts using username ''

  • Yes that is a blank user name in single quotes and no way to block it using the common names comma separated string. Tried using a double comma in the string but it was edited out. Login attempts are coming hot and heavy forcing me to shut down the site since I cannot access it or login to the back end. Below is an example email from an attempted login.

    A user with IP address 200.77.208.178 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ” to try to sign in.
    User IP: 200.77.208.178
    User hostname: 200.77.208.178.cable.dyn.cableonline.com.mx

    Any help blocking this is greatly appreciated.

    https://wordpress.org/plugins/wordfence/

Viewing 10 replies - 1 through 10 (of 10 total)
  • I can log in to the site after briefly taking it offline, but have no current fix. Once the common culprits like admin and administrator were eliminated, the attack moved on to the blank user login attempt. There are enough login attempts to slow or stop the site and has been ongoing for the past 2 days

    Matt

    @mattbaconmgroup

    If their attempts are coming from similar IPs/the same hostname, you can try adding a rule/rules in your .htaccess

    http://www.inmotionhosting.com/support/website/security/block-unwanted-users-from-your-site-using-htaccess

    If it looks to be multiple people/groups this won’t be as good a solution, but should help against repeat offenders

    I’m having a similar issue. A botnet is attempting log-ins with empty usernames. So far, over 1800 in the last 12 hours, all from different IPs. The problem is that even though I have maximum emails per hour set to 1, and I have added .htpasswd to wp-login.php, WordFence keeps sending an email every time another bot fails to log in as ”.

    I would like wordfence to automatically add these ips to the deny list but there is no way to add a blank user name to the list, or just default deny the user name, preferably, both

    Agreed. Also, I’m not sure why .htpasswd isn’t keeping the bots at bay. Are they hitting a different URL than wp-login.php to trigger the Wordfence alerts?

    Same issue on my site – this has been ongoing from about the last 7 days. One way I was able (I think) to partially resolve is by blocking all foreign IP addresses (we do all of our business with North American companies so blocking foreign traffic is not a concern for us at all).

    This is just a very constant stream of attempted logins and so far it’s only impacting one of our sites.

    Performance has not yet been impacted and I can login and modify the site as needed. I am having wordfence auto ban any IP that attempts to login with a non-existent name. The issue is that every login is using a unique IP so this is not a super effective means to stop the problem.

    The only semi-answer I’ve found is blocking foreign IPs and so far that has done nothing to reduce the amount of North American attemps.

    Update: They are attempting to log in via xmlrpc.php, not wp-login.php (check your apache access logs).

    Too bad some of these ISPs don’t work a deal with Wordfence to get a list of the IP addresses that have been auto-banned from login. Surely that list would be 99.9% compromised mom and pop computers that should be taken off the Internet.

    As I’ve posted in other threads, I usually resort to using .htaccess to only allow access to wp-login.php from a few trusted IP addresses.

    As for the xmlrpc.php attack, that’s not a login attempt. It’s more of a DDoS. Lots of hits from Google on the issue. For this you can:
    1) If you need trackbacks and ping backs enabled, then check your access logs for the UserAgent hitting xmlrpc. It’s probably not a mainstream (or even valid) user agent you can block via Wordfence’s Advanced Blocking feature.
    2) If you don’t need trackback and ping, use .htaccess to deny access to xmlrpc.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Ddos login attempts using username ''’ is closed to new replies.
Skip to toolbar