• I setup a basic WordPress website for my nephew using my web hosting service. It’s a one page partially created webpage that was just sitting around for three years unfinished. Last week I started receiving emails that different IP locations were being locked for trying to log into the WordPress admin page. I spoke with my nephew and it wasn’t him. Out of curiosity I logged in. I changed the password to something really strong, added 2FA and increased the time out period & the number of allowable attempts. I then started to receive even more emails by the hour or so about additional login attempts. I then decided to change the admin login url ending in wp-admin to something very unique. I also used my hosting service to password protected access to the new admin login website with a completely new username and password. Therefore, anyone trying to access the WordPress admin login page would first have to gain access to a secondary login screen. I thought that those bots or human hackers will sure get a surprise the next time they try to hack in. The one getting a big surprise was me because I continued to receive emails of brute force login lockout attempts. I uninstalled the Limit Login Attempts Reloaded plugin and used a different WordPress plugin with the same features that contained 2FA. I further removed my host’s secondary password protection for the admin WordPress login page and waited. I stopped receiving any login lockout attempt emails. No activity of failed login attempts showed when I logged into WordPress. So now you may be wondering that maybe this just proves that the new plugin isn’t capturing the login lockout attempts. Well, I logged into my webhost and the traffic showed zero. While a can’t with 100% prove that Limit Login Attempts Reloaded is committing fraud, it sure looks like it from my experience. I believe that Limit Login Attempts Reloaded appears to be trying to scare users into upgrading to their paid plan. Others have noted this in this review section only to be quickly dismissed. I hope that somehow I am wrong, because the management of Limit Login Attempts Reloaded should be ashamed of themselves and I hope that others have the time to document and sue this organization.

    • This topic was modified 1 year, 2 months ago by adamsmith8.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author WPChef


    Hi adamsmith,

    Thank you for your detailed review. We are sorry for the trouble you have encountered and we’d like to respond in order to help you and other readers better understand what is happening.

    First, we recommend you read this article that can explain some of the issues you are having in regards to suspicious failed login attempts.

    We advise that you analyze your raw web logs to fully understand your traffic. They will contain all requests to your web server. Contact your web hosting provider if you don’t know how to obtain them. We don’t know which tracking software you are using, but it’s very likely it omits bots.

    Regarding your login page, have you considered the bots could be attacking xmlrpc.php? It can’t be accessed from another origin, but bots can parse the site to find it or guess it if it’s something simple like “/admin”.

    We cannot tell you what this other plugin is doing. They might not be tracking the attempts as thoroughly as we do or they just don’t send alerts the same way. What we can tell you is that our plugin strictly follows the WordPress development codex, which forbids tracking websites without explicit consent of the site’s owner. That’s why we never ask for a domain name anywhere. Our plugin is open source and you should feel free to examine the code.

    Thread Starter adamsmith8


    Thank you for the reply. I will examine your code. I just disabled xmlroc.php. That is a good recommendation to disable and later enable it if you need remote access. I’m not going to advertise for another plugin. The one that I replaced your plugin with does show generic attacks mostly using usernames admin or Admin. But these appear to be one time pings that don’t trigger a three tries lockdown. I had this other plugin in use while I was also using yours, but I only using its 2FA. However, it did record the login attempts by username, IP, and date while I used yours as the primary. It was interesting that during the period that I had your plugin installed, the login attempts were mostly using my exact username. After I uninstalled your plugin three days ago, my exact username attempts have not been repeated. Unfortunately, we live in a world of mistrust because others scam others. I hope that I am completely off base concerning your plugin or that maybe your system has a false positive glitch. On the positive side, this experience is a good fire drill even if it was only for a one page irrelevant wp website that can be easily replaced with an archived backup.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Fake brute force login lockout attempts’ is closed to new replies.