WordPress.org

Ready to get started?Download WordPress

Forums

Rename wp-login.php (unmaintained)
[resolved] Failed After 1 Day (17 posts)

  1. AME Network
    Member
    Posted 10 months ago #

    Hi Janneke,

    Like many WP users, we're trying everything we can to stop brute force login attempts (we run a lot of WP sites). We were already using the Limit Login Attempts plugin, which helps but doesn't prevent these attacks, before finding yours. We tried your plugin on a couple of sites, where we cleared the previous login attempts list in LLA to 0. After one day having moved the login URL with your plugin, there have already been botnets that have found the new URL. VERY disappointing. Thought you would want to know.

    BTW, does anyone know how to *permanently* block IPs from any access?

    Thanks,

    AME Network

    https://wordpress.org/plugins/rename-wp-login/

  2. Ella Iseulde Van Dorpe
    Member
    Plugin Author

    Posted 10 months ago #

    Hi,

    Could you give a bit more information please? What are you renaming wp-login.php to? login? If so, of course they'll find it, many try login as it normally redirects to wp-login.php.

    If not, I'm up for investigating it on one of your sites.

    This plugin is installed on a website which had a few thousand attacks per month, and since then theres's not been a single lock out from Limit Login Attempts.

  3. AME Network
    Member
    Posted 10 months ago #

    Of course we did not rename it to *login* -- that would be pretty dumb (even though that's what you have the default set to, so many might mistakenly think that is what you suggest). How to you propose to investigate? And, thanks for the quick response!

  4. AME Network
    Member
    Posted 10 months ago #

    Hi Janneke,

    To further test this, we installed your plugin on a third site yesterday that has had a lot of LLA lockouts. Nothing so far, and the two sites we mentioned each had one lockout right after the URL change. It might be that these occurred pretty much simultaneous with the change, and so showed up later in the LLA logs. We'll continue to monitor these sites this week and let you know if there are any more lockouts. Hopefully not, and that would be wonderful. BTW, we really would recommend that you change the default value in the URL switcher to something other than *login*.

    Thanks again.

    AME Network

  5. Ella Iseulde Van Dorpe
    Member
    Plugin Author

    Posted 10 months ago #

    Thanks for testing this. Do let me know!

    The default is 'login' because that's what most people want it to be. Usually people rename wp-login.php for aesthetic reasons, not because of attacks.

  6. AME Network
    Member
    Posted 10 months ago #

    You're welcome, and we'll keep you posted.

    Maybe you should include a simple instruction not to use 'login' if they want it to be more secure? Just a thought. Cheers!

  7. AME Network
    Member
    Posted 9 months ago #

    Hi Janneke,

    Well there's good news and not so good. The good is that two of the sites we're running your plugin on have not had further lockout activity. The not so good is that one of the sites has three new lockouts from the same source. How would you suggest we investigate this? Thanks.

    AME Network

  8. AME Network
    Member
    Posted 9 months ago #

    Ok, well thanks anyway. We'll report here if there are additional issues in any case. Take care.

    AME Network

  9. thenightrider
    Member
    Posted 7 months ago #

    I found and installed the plugin not for aesthetic reasons, but solely to try to prevent login attempts (which has been defeated - bummer - see my post "Failed After 13 Days"). Just a datapoint for your list of why people install your plugin. I'm slightly surprised that people would think that ../wp.login.php or ../wp-admin is so aesthetically unpleasant - because it's just another URL, but all of us have different aesthetic sensibilities. Maybe that's why you originally wrote the plugin? Best regards and thanks for the plugin.

  10. Ella Iseulde Van Dorpe
    Member
    Plugin Author

    Posted 6 months ago #

    I have no idea how to investigate this... If it's a redirect from somewhere else, then you'd see it in your logs... If it's directly accessed, I have no idea where the attacker could have found the URL.

  11. thenightrider
    Member
    Posted 6 months ago #

    It's possible that a hidden, but publicly accessible, "page of URLs" I was using off my server could have been discovered. The updated login URL was on that "page of URLs". A disturbing possibility, but I was stupidly relying on security by obscurity, so I deleted that page and that possibility. So far, after renaming the login URL again, it has not been discovered (or at least no login attempt has been made). Nothing proven yet, so we shall see.

  12. Ella Iseulde Van Dorpe
    Member
    Plugin Author

    Posted 6 months ago #

    Note that, if you leave xmlrpc enabled, attackers can still try to login through that. It's up to the user to disable it or not since it might be used by other plugins and applications.

  13. thenightrider
    Member
    Posted 6 months ago #

    Right, and there used to be a checkbox for XMLRPC until the core team took it away. So now what is the best way to see if it's on or off and to turn it off if it's on? Searching for plugins to do it, and have found several. Recommendations?

  14. thenightrider
    Member
    Posted 6 months ago #

    Also found a line for wp-config.php that supposedly will do it, but that comes with caveats. Any insights on this situation?

  15. Ella Iseulde Van Dorpe
    Member
    Plugin Author

    Posted 6 months ago #

    What do you mean with caveats?

  16. Ella Iseulde Van Dorpe
    Member
    Plugin Author

    Posted 6 months ago #

  17. thenightrider
    Member
    Posted 6 months ago #

    By caveats, I was referring to what http://www.blogaid.net/disable-xml-rpc-in-wordpress-to-prevent-ddos-attack was saying:

    "And, it disables XML-RPC completely, which may disturb third-party applications that use it. ..."

    I was thinking that if I don't care about working with a WP site other than through the standard interface, then those caveats *should* go away, but the article goes on to say:

    "There are several popular apps and plugins that make use of some part of the XML-RPC function. They are:
    ...
    JetPack (just some parts of it)
    LibSyn (for podcasts)
    BuddyPress
    Various photo gallery plugins"

    So I guess I'll have to do some testing.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.