WordPress.org

Forums

iThemes Security (formerly Better WP Security)
How to ban admin logins? (25 posts)

  1. beeeerock
    Member
    Posted 2 years ago #

    I have modified my settings to eliminate the admin account. Of course the spammers out there don't know that and keep trying to find their way in via 'admin' login. Is there some way to automatically have the IP of an admin login attempt added to the ban list? I've got 1200 attempts in my logs in the last few days... so many I have to wonder if the login limit and lockout settings are working!

    http://wordpress.org/extend/plugins/better-wp-security/

  2. beeeerock
    Member
    Posted 2 years ago #

    No responses on this one... I'm starting to wonder if I'm just missing this in the config somewhere... is there any way to ban users in the same way you can ban IP's or hosts? I can't imagine there would be many cases where a user other than 'admin' should be banned... but it would be nice to have a toggle to automatically ban anyone attempting to log in as admin, if that user has been removed to increase security.

    Maybe I shouldn't worry about this? But it annoys me that my server is being bombarded with attempts for this non-existent user!

  3. beeeerock
    Member
    Posted 2 years ago #

    No response still...

    It would also be nice if the automated email stating a host has been locked out due to too many login attempts also included the login name within the message. That way I'd have an idea of whether a legit user is having trouble, or a parasite is trying to get into my admin account...

    But I'd still like the ability to add account names to a list and have anyone attempting them be banned immediately... and the ability to one-click add these users from the 'view logs' page. Then the spammy sign-ups could also be added to the list when you see them attempted later...

  4. darrencoen
    Member
    Posted 2 years ago #

    i wish i could help but i found this thread looking for the same thing and though i'd just chime in to say "you are not alone." i too am very surprised nobody has replied.

    i think i'll maybe donate to a security plugin and then encourage they implement this type of thing. now to just decide which.

  5. Handoko
    Member
    Posted 2 years ago #

    Hi all. I too wish I could help, but my knowledge is very limited. I think the author of this plugin is very busy, you can see there are too much unanswered questions on the support forum. Too many new questions appear everyday while the author did try to answer but he probably only a single person.

    For the attempt to login on the admin account, I personally manual ban all the IPs who frequently try to make fail login. Not the best thing to do but so far it really reduces the problem. So far, now I get about 1 attemp every several days.

  6. Star9
    Member
    Posted 2 years ago #

    You could use a plugin called Wordfence in addition to Better WP Activity. Wordfence has an option to automatically block invalid login attempts.

  7. Handoko
    Member
    Posted 2 years ago #

    I'm using Better WP Security only for the protection, some said installing too many plugins can slow down your website performance.

    So far, I'm happy with Better WP Security. It has a feature to automatic ban IP of invalid login attempts if it reach certain times which we can adjust the threshold. But usually I will manually ban it, I have a list of banned IPs which I use for all of my sites.

  8. agljklcnvtx
    Member
    Posted 2 years ago #

    To test if the lockout is working, set up a test account, then try to login with a bad credential.

    Perhaps increasing the default time that the plugin remembers bad logins may help lockout users who are repeatedly hitting you.

    Smart hackers and their tools know how to spread out login attempts to defeat known security tools, so adjust your default time higher to see if you catch the offender.

    By "admin" login do you mean Wp-admin?
    You can hide the back-end login under the hide TAB.

    Just make sure to have a second account in case you get locked out.

    You may want to use complex and longer user names as well, such as bn6u8fwrd790.

    Yes, I agree it would be handy to know what user name an IP is trying to hit, some auto hack tools will run through quite a few variations though.

    I realize it is frustrating waiting for a response from the author. I am only chiming in as a way to "payback" the author for his free plugin.

  9. Handoko
    Member
    Posted 2 years ago #

    Smart hackers and their tools know how to spread out login attempts to defeat known security tools, so adjust your default time higher to see if you catch the offender.

    Yes, hackers become smarters. I notice the hackers now won't do their next attempt in a short period. They only will repeat it after several days, sometimes a week.

    That's why I manually ban it. I log all the IPs who try to login to my site on a spreadsheet file, and do my own analyze. If they try it 3x or more then they're banned. The IPs in the list will be kept for 6 months. After that I will release the ban. If they still trying, I will ban it f.o.r.e.v.e.r. I use the list for all the websites I build.

    Almost all the login attempts are using user name: admin. Hide back-end is not very useful now. Try it yourself on you website by typing it:
    http://YourDomainHere/wp-login.php?loggedout=true

    For more information about the issue above, try this link:
    http://wordpress.org/support/topic/plugin-better-wp-security-bypass-to-login-hide-or-hide-backend

    The author is busy I guess. We should share what we know to help each others.

  10. beeeerock
    Member
    Posted 2 years ago #

    I administer the site from another account - 'admin' was disabled a long time ago.

    In the last week, Better WP Security has logged over 2000 attempts to get in via the admin username. Unless I go through the actual web server logs, I can't see what the IP's of the attempts are... it would be nice to at least have that information included in the 'bad login attempts' list on the log file page.

    Since the admin user doesn't exist, they can brute-force the password all they want - they'll never get in. But for my own satisfaction I'd like to be able to easily ban their IP's... at the first attempt if possible!

    The offered automatic lockout settings don't let you specify a user... so if you make them too restrictive, you'll catch your less intelligent legitimate users who forgot their credentials, or forgot their caps lock (several times!). There's a fine line between annoying your real users and blocking the bad guys.

    It strikes me that the heavy lifting (writing the main security modules) has been done and we really only need to see some tweaks to how the log information is presented and how we might interact with it (click to ban users for instance).

    I realize I can't expect to get more than I pay for(!), so my comments have been what I hope are constructive and positive, rather than complaints! :-)

  11. Handoko
    Member
    Posted 2 years ago #

    @beeeerock:

    I use Adminer plugin to see the table ??bwps_log, it's the log of Better WP Security, there you can see the IPs.

    Most of us won't use user name Admin. But I won't give hackers any chance to touch my sites, they only waste my bandwidths.

    Too restrictive is not good, I agree. That's why I give them 3 chances. Even I banned the IPs, I will release it after 6 months.

    Legitimate users? No, I'm only the user who can login to the backend.

    Most of us here are not for complaints, but helping each others to find better solutions.

  12. beeeerock
    Member
    Posted 2 years ago #

    Unfortunately, the auto-ban function doesn't (as far as I can see) allow you to differentiate between users. So admin user logins are treated the same way as real user logins. Meaning, if a legitimate users messes up his login, he could be locked out or even banned.

    It would be nice if on the 'admin user' page of the BWPS configuration, there was a tick box that allowed you to auto-ban admin user login attempts. On my site, that page says "Congratulations! You do not have a user named 'admin' on your site... etc". If that information appears, there should be a box below saying "Auto-ban admin user login attempts?"

    Of course, if there were attempts to brute-force the password of a legitimate user account, it would be a little more difficult to stop it (the existing lock-out functions would be used), but that's fine... most user accounts don't have the rights to do much more than post, so a successful intrusion wouldn't do nearly as much damage as a successful administrator intrusion could.

  13. Handoko
    Member
    Posted 2 years ago #

    Yes, great suggestion. It will be nice if the plugin will first check if the login name is a 'real' user name.

    If it is a real login name, than it will give more tolerable attempts, for example 10x. But if the name is not in the list of legitimate users, then it will give it only 2x chances or banned it immediately, it include the name: admin.

    Previously, my sites have no hackers that able to go to the login page, thanks to the hide backend feature. But recently especially this January, I got almost several login attempts everyday. Very annoying, but it's fun to play police and thief. :)

  14. SoftBlue
    Member
    Posted 2 years ago #

    For those of us, and I expect we are legions, it would be nice if we could restrict access to admin from a list of IP addresses. I'm sure there are more pressing things on the agenda.

    I seem to be getting hit by the loggedout=true hack. It appears from looking at .htaccess that it should not be difficult to protect against. My problem is the number of sites that I will need to step through.

  15. Handoko
    Member
    Posted 2 years ago #

    I want share a bit hope it may help.

    I have a quick fix for the loggedout=true. It's not the best and has some disadvantages, but it works (at least on my sites). Read more here:

    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how

    I also have compile a list of bad IPs who tried to login and access admin area. I have strict condition, which I study their behaviors for months, so only real 'bad' IPs are in the list. Put it on your banned list, it may reduce the hacking attempts significantly:

    198.24.154.85
    109.120.144.134
    173.192.34.95
    184.82.92.86
    188.143.232.147
    188.143.233.2
    188.143.233.7
    188.72.202.63
    198.24.154.83
    208.115.111.68
    208.115.113.84
    27.153.187.158
    37.1.207.22
    46.22.211.11
    5.135.182.147
    5.135.182.148
    5.135.182.150
    5.135.185.89
    5.135.186.103
    5.135.186.47
    5.135.186.48
    5.39.86.162
    5.39.86.195
    59.58.156.107
    69.61.33.158
    91.121.156.62
    91.121.198.168
    91.121.204.98
    91.121.26.97
    91.121.9.21
    91.121.97.145
    91.224.160.24
    94.100.17.134
    94.23.14.147
    94.23.250.149
    94.23.4.106
    94.23.62.47
    218.108.169.2

  16. benwhitehouse
    Member
    Posted 2 years ago #

    Unfortunately if the brute force hackers truly do have 90,000 machines to do their bidding, banning even a few thousand of them does nothing. I too wish there was a way to block people trying to access accounts which do not exist.

    Here is an idea.

    What if we create an "admin" account and give it the lowest possible site permissions of "subscriber" then once an hacker tries to access it a few times, Better WP Security locks that account killing all attempts from then on?

    Is there any down side to having an account for "admin" which has no powers?

    Hrmmmm.

    It's like a trojan login!

  17. Handoko
    Member
    Posted 2 years ago #

    I'm not very sure but I don't think it is a good idea.

    By not letting them to login, it's means we keep them outside. But if you give them a lowest account named admin for the login purpose, it means they are allowed to go inside even it does have lots of limitations on that account. After logged in, they might able to study the website if there is any weaknesses, misconfigured permissions, etc. So it could be very dangerous, so I will say, it will be better to keep them outside.

    Is there any down side to having an account for "admin" which has no powers?
    Any misconfigured permissions or security bugs (if it exists in WordPress) can be a surprising bonus for hackers but a nightmare for the site owner.

  18. benwhitehouse
    Member
    Posted 2 years ago #

    Ah, I'm not advising using an insecure password on the account. If anything, you want to use a ridiculously secure password for the "admin" account. But the way that Better WP Security works, it will only lock out users WITH an associated account. therefore in order to lock out the hackers trying to access the "admin" user - you have to have an "admin" account for them to be locked out of.

    I actually went ahead and created this subscriber "admin" account on my install and within 2 minutes the "admin" user was locked out for 24 hours. No more login attempts will be permitted for the admin user today. Call me crazy, but I think this works.

    Just make sure to use a very long and secure password with numbers letter symbols etc. for the "admin" user. That way they will (hopefully) never guess it.

  19. Handoko
    Member
    Posted 2 years ago #

    Unfortunately if the brute force hackers truly do have 90,000 machines to do their bidding, banning even a few thousand of them does nothing. I too wish there was a way to block people trying to access accounts which do not exist.

    We do not need to manually ban them. The plugin can be configured for automatically banning the bad logins.

    Actually, I ever had same thought with your idea some months ago. But why bother, now the plugin is and will automatically block and ban bad login visitors for me.

    Perhaps, what you're doing is really have some good points. Please report back the results regularly, I'm curious to know.

  20. herinde
    Member
    Posted 2 years ago #

    I'm having exactly the same problem.

    It would be nice to know if this is working out for you (creating an admin user low on permissions with a secure password)

  21. joelmeaders
    Member
    Posted 2 years ago #

    Mine has blocked over 3500 attempts in the last half hour on the admin username. I would love to autoban the second they try this username.

  22. beeeerock
    Member
    Posted 2 years ago #

    I use WordFence in parallel with Better WP Security. It can be configured to lock out admin attempts.

  23. Handoko
    Member
    Posted 2 years ago #

    Better WP Security can be set to make it autoban login attempts (without using an admin account):
    1. Goto menu > Security > Login Limits > turn on Enable Login Limits
    2. Set both Max Login Attempts Per Host and Max Login Attempts Per User low
    3. Set both Login Time Period (minutes) and Lockout Time Period (minutes) high
    4. Turn on Blacklist Repeat Offender
    5. Set Blacklist Threshold low

    A good example:
    - Enable Login Limits: on
    - Max Login Attempts Per Host: 3
    - Max Login Attempts Per User: 5
    - Login Time Period (minutes): 20
    - Lockout Time Period (minutes): 60
    - Blacklist Repeat Offender: on
    - Blacklist Threshold: 3

    A tight configuration example:
    - Enable Login Limits: on
    - Max Login Attempts Per Host: 2
    - Max Login Attempts Per User: 3
    - Login Time Period (minutes): 30
    - Lockout Time Period (minutes): 180
    - Blacklist Repeat Offender: on
    - Blacklist Threshold: 1

  24. omrilevy
    Member
    Posted 1 year ago #

    I have the same issue with Better WP security.
    I don't have the admin account but I get 10's of attempts to login every day.

    It would be a good idea to add a "ban specific users" even if they don't exsist .

    I would start with admin, administrator and the name of the site.

  25. benwhitehouse
    Member
    Posted 1 year ago #

    So aft a little searching I found that Wordfence actually does ban any user who tries to access a user that doesn't exist. I had added in fake Admin and Administrator accounts, which do work, but this is am more elegant solution. Plus it never needs updating as bots try new usernames.

    http://wordpress.org/plugins/wordfence/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.