Failed-login-records information

Resolved Lina
(@jumbureto)

6 years, 9 months ago

Hello,
I’m WP-beginner working on a 1st project. I use this security plugin that i appreciate a lot for so numerous ways to protect the website.
(I’m on 400/515 on the Security Strength Meter)
I set the recaptcha; a honeypot; blacklist; lockout attempts set too;changed username for the admin; no user account displays a name identical to the admin-username.
Yet, i see in the failed login records of the admin-username failed to login (and it is not me)! So how is that possible? Where could this account-name appear so a hacker could try to connect with it?

Any advise? Please
BR,
Lina

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Contributor wpsolutions
(@wpsolutions)

6 years, 9 months ago

Hi Lina,
There are couple things to note here.

1) Regarding the login attempts, you didn’t mention whether you’ve hidden the login page. If not, then you should try activating the Rename Login Page feature.

Also to stop bots from trying to brute force account login via the xmlrpc.php file you could also block access to this file via the firewall rules but that depends on whether you are using plugins which require xmlrpc or not.

2) Regarding your admin username – there are ways to retrieve usernames quite easily;
One such way might be that they are using the WP REST api as follows:
curl -i https://yoursite.com/wp-json/wp/v2/users

You could disable the REST access via the Miscellaneous >> WP REST API tab.
But beware that if you are using other plugins which require REST API (eg, contact form 7) then this might break some of that functionality.
I wouldn’t be as worried about your username being exposed as I would be about a weak password.

Thread Starter Lina
(@jumbureto)

6 years, 9 months ago

Hello and thank you for the advises!
1 – No, i haven’t hidden the login page and i would like to.
I’m not sure yet if i can. Yesterday, the hosting provider confirmed that they don’t use WPEngine, neither cash the website on any server. Is that enough?
I downloaded the full last version of the website from the FTP of the host, only it is indicated there that i cannot use this folder to recover the website from. So i’m into that phase where i would like first to properly backup the website before activating that feature;

2- if bots are trying to brute force account login via the xmlrpc.php file – are those the login attempts which do not have a username in the records? I have a lot of failed-login-records with [login] = empty?
I would like to block access to this file via the firewall rules but i do not know if i use plugins which require xmlrpc or not? Could you advise me how to check if they do?

3- indeed, that link https://mysite.com/wp-json/wp/v2/users shows everything 🙁
i did want to disable the REST access via the Miscellaneous >> WP REST API tab.
And again i do not know if other plugins which require REST API are being used.
I do not use “contact form 7” for now – i should definitely keep in mind for future development of the website. Could you also advise me how to check if the installed plugins do?

And YES, we have a strong password. Checked with the tool of your plugin – it is saying something about millions of years needed to be cracked 🙂

Thank you again and hope to hear from you again!
BR,
Lina

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Failed-login-records information’ is closed to new replies.

Tags