I can log in to the site after briefly taking it offline, but have no current fix. Once the common culprits like admin and administrator were eliminated, the attack moved on to the blank user login attempt. There are enough login attempts to slow or stop the site and has been ongoing for the past 2 days
Matt
(@mattbaconmgroup)
If their attempts are coming from similar IPs/the same hostname, you can try adding a rule/rules in your .htaccess
http://www.inmotionhosting.com/support/website/security/block-unwanted-users-from-your-site-using-htaccess
If it looks to be multiple people/groups this won’t be as good a solution, but should help against repeat offenders
I’m having a similar issue. A botnet is attempting log-ins with empty usernames. So far, over 1800 in the last 12 hours, all from different IPs. The problem is that even though I have maximum emails per hour set to 1, and I have added .htpasswd to wp-login.php, WordFence keeps sending an email every time another bot fails to log in as ”.
I would like wordfence to automatically add these ips to the deny list but there is no way to add a blank user name to the list, or just default deny the user name, preferably, both
Agreed. Also, I’m not sure why .htpasswd isn’t keeping the bots at bay. Are they hitting a different URL than wp-login.php to trigger the Wordfence alerts?
Same issue on my site – this has been ongoing from about the last 7 days. One way I was able (I think) to partially resolve is by blocking all foreign IP addresses (we do all of our business with North American companies so blocking foreign traffic is not a concern for us at all).
This is just a very constant stream of attempted logins and so far it’s only impacting one of our sites.
Performance has not yet been impacted and I can login and modify the site as needed. I am having wordfence auto ban any IP that attempts to login with a non-existent name. The issue is that every login is using a unique IP so this is not a super effective means to stop the problem.
The only semi-answer I’ve found is blocking foreign IPs and so far that has done nothing to reduce the amount of North American attemps.
Update: They are attempting to log in via xmlrpc.php, not wp-login.php (check your apache access logs).
Too bad some of these ISPs don’t work a deal with Wordfence to get a list of the IP addresses that have been auto-banned from login. Surely that list would be 99.9% compromised mom and pop computers that should be taken off the Internet.
As I’ve posted in other threads, I usually resort to using .htaccess to only allow access to wp-login.php from a few trusted IP addresses.
As for the xmlrpc.php attack, that’s not a login attempt. It’s more of a DDoS. Lots of hits from Google on the issue. For this you can:
1) If you need trackbacks and ping backs enabled, then check your access logs for the UserAgent hitting xmlrpc. It’s probably not a mainstream (or even valid) user agent you can block via Wordfence’s Advanced Blocking feature.
2) If you don’t need trackback and ping, use .htaccess to deny access to xmlrpc.
