WordPress.org

Support

How to ban admin logins?

  • beeeerock

    @beeeerock

    I have modified my settings to eliminate the admin account. Of course the spammers out there don’t know that and keep trying to find their way in via ‘admin’ login. Is there some way to automatically have the IP of an admin login attempt added to the ban list? I’ve got 1200 attempts in my logs in the last few days… so many I have to wonder if the login limit and lockout settings are working!

    http://wordpress.org/extend/plugins/better-wp-security/

Viewing 15 replies - 1 through 15 (of 24 total)
  • beeeerock

    @beeeerock

    No responses on this one… I’m starting to wonder if I’m just missing this in the config somewhere… is there any way to ban users in the same way you can ban IP’s or hosts? I can’t imagine there would be many cases where a user other than ‘admin’ should be banned… but it would be nice to have a toggle to automatically ban anyone attempting to log in as admin, if that user has been removed to increase security.

    Maybe I shouldn’t worry about this? But it annoys me that my server is being bombarded with attempts for this non-existent user!

    No response still…

    It would also be nice if the automated email stating a host has been locked out due to too many login attempts also included the login name within the message. That way I’d have an idea of whether a legit user is having trouble, or a parasite is trying to get into my admin account…

    But I’d still like the ability to add account names to a list and have anyone attempting them be banned immediately… and the ability to one-click add these users from the ‘view logs’ page. Then the spammy sign-ups could also be added to the list when you see them attempted later…

    i wish i could help but i found this thread looking for the same thing and though i’d just chime in to say “you are not alone.” i too am very surprised nobody has replied.

    i think i’ll maybe donate to a security plugin and then encourage they implement this type of thing. now to just decide which.

    Hi all. I too wish I could help, but my knowledge is very limited. I think the author of this plugin is very busy, you can see there are too much unanswered questions on the support forum. Too many new questions appear everyday while the author did try to answer but he probably only a single person.

    For the attempt to login on the admin account, I personally manual ban all the IPs who frequently try to make fail login. Not the best thing to do but so far it really reduces the problem. So far, now I get about 1 attemp every several days.

    You could use a plugin called Wordfence in addition to Better WP Activity. Wordfence has an option to automatically block invalid login attempts.

    I’m using Better WP Security only for the protection, some said installing too many plugins can slow down your website performance.

    So far, I’m happy with Better WP Security. It has a feature to automatic ban IP of invalid login attempts if it reach certain times which we can adjust the threshold. But usually I will manually ban it, I have a list of banned IPs which I use for all of my sites.

    To test if the lockout is working, set up a test account, then try to login with a bad credential.

    Perhaps increasing the default time that the plugin remembers bad logins may help lockout users who are repeatedly hitting you.

    Smart hackers and their tools know how to spread out login attempts to defeat known security tools, so adjust your default time higher to see if you catch the offender.

    By “admin” login do you mean Wp-admin?
    You can hide the back-end login under the hide TAB.

    Just make sure to have a second account in case you get locked out.

    You may want to use complex and longer user names as well, such as bn6u8fwrd790.

    Yes, I agree it would be handy to know what user name an IP is trying to hit, some auto hack tools will run through quite a few variations though.

    I realize it is frustrating waiting for a response from the author. I am only chiming in as a way to “payback” the author for his free plugin.

    Smart hackers and their tools know how to spread out login attempts to defeat known security tools, so adjust your default time higher to see if you catch the offender.

    Yes, hackers become smarters. I notice the hackers now won’t do their next attempt in a short period. They only will repeat it after several days, sometimes a week.

    That’s why I manually ban it. I log all the IPs who try to login to my site on a spreadsheet file, and do my own analyze. If they try it 3x or more then they’re banned. The IPs in the list will be kept for 6 months. After that I will release the ban. If they still trying, I will ban it f.o.r.e.v.e.r. I use the list for all the websites I build.

    Almost all the login attempts are using user name: admin. Hide back-end is not very useful now. Try it yourself on you website by typing it:
    http://YourDomainHere/wp-login.php?loggedout=true

    For more information about the issue above, try this link:
    http://wordpress.org/support/topic/plugin-better-wp-security-bypass-to-login-hide-or-hide-backend

    The author is busy I guess. We should share what we know to help each others.

    I administer the site from another account – ‘admin’ was disabled a long time ago.

    In the last week, Better WP Security has logged over 2000 attempts to get in via the admin username. Unless I go through the actual web server logs, I can’t see what the IP’s of the attempts are… it would be nice to at least have that information included in the ‘bad login attempts’ list on the log file page.

    Since the admin user doesn’t exist, they can brute-force the password all they want – they’ll never get in. But for my own satisfaction I’d like to be able to easily ban their IP’s… at the first attempt if possible!

    The offered automatic lockout settings don’t let you specify a user… so if you make them too restrictive, you’ll catch your less intelligent legitimate users who forgot their credentials, or forgot their caps lock (several times!). There’s a fine line between annoying your real users and blocking the bad guys.

    It strikes me that the heavy lifting (writing the main security modules) has been done and we really only need to see some tweaks to how the log information is presented and how we might interact with it (click to ban users for instance).

    I realize I can’t expect to get more than I pay for(!), so my comments have been what I hope are constructive and positive, rather than complaints! 🙂

    @beeeerock:

    I use Adminer plugin to see the table ??bwps_log, it’s the log of Better WP Security, there you can see the IPs.

    Most of us won’t use user name Admin. But I won’t give hackers any chance to touch my sites, they only waste my bandwidths.

    Too restrictive is not good, I agree. That’s why I give them 3 chances. Even I banned the IPs, I will release it after 6 months.

    Legitimate users? No, I’m only the user who can login to the backend.

    Most of us here are not for complaints, but helping each others to find better solutions.

    Unfortunately, the auto-ban function doesn’t (as far as I can see) allow you to differentiate between users. So admin user logins are treated the same way as real user logins. Meaning, if a legitimate users messes up his login, he could be locked out or even banned.

    It would be nice if on the ‘admin user’ page of the BWPS configuration, there was a tick box that allowed you to auto-ban admin user login attempts. On my site, that page says “Congratulations! You do not have a user named ‘admin’ on your site… etc”. If that information appears, there should be a box below saying “Auto-ban admin user login attempts?”

    Of course, if there were attempts to brute-force the password of a legitimate user account, it would be a little more difficult to stop it (the existing lock-out functions would be used), but that’s fine… most user accounts don’t have the rights to do much more than post, so a successful intrusion wouldn’t do nearly as much damage as a successful administrator intrusion could.

    Yes, great suggestion. It will be nice if the plugin will first check if the login name is a ‘real’ user name.

    If it is a real login name, than it will give more tolerable attempts, for example 10x. But if the name is not in the list of legitimate users, then it will give it only 2x chances or banned it immediately, it include the name: admin.

    Previously, my sites have no hackers that able to go to the login page, thanks to the hide backend feature. But recently especially this January, I got almost several login attempts everyday. Very annoying, but it’s fun to play police and thief. 🙂

    For those of us, and I expect we are legions, it would be nice if we could restrict access to admin from a list of IP addresses. I’m sure there are more pressing things on the agenda.

    I seem to be getting hit by the loggedout=true hack. It appears from looking at .htaccess that it should not be difficult to protect against. My problem is the number of sites that I will need to step through.

    I want share a bit hope it may help.

    I have a quick fix for the loggedout=true. It’s not the best and has some disadvantages, but it works (at least on my sites). Read more here:

    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how

    I also have compile a list of bad IPs who tried to login and access admin area. I have strict condition, which I study their behaviors for months, so only real ‘bad’ IPs are in the list. Put it on your banned list, it may reduce the hacking attempts significantly:

    198.24.154.85
    109.120.144.134
    173.192.34.95
    184.82.92.86
    188.143.232.147
    188.143.233.2
    188.143.233.7
    188.72.202.63
    198.24.154.83
    208.115.111.68
    208.115.113.84
    27.153.187.158
    37.1.207.22
    46.22.211.11
    5.135.182.147
    5.135.182.148
    5.135.182.150
    5.135.185.89
    5.135.186.103
    5.135.186.47
    5.135.186.48
    5.39.86.162
    5.39.86.195
    59.58.156.107
    69.61.33.158
    91.121.156.62
    91.121.198.168
    91.121.204.98
    91.121.26.97
    91.121.9.21
    91.121.97.145
    91.224.160.24
    94.100.17.134
    94.23.14.147
    94.23.250.149
    94.23.4.106
    94.23.62.47
    218.108.169.2

    Unfortunately if the brute force hackers truly do have 90,000 machines to do their bidding, banning even a few thousand of them does nothing. I too wish there was a way to block people trying to access accounts which do not exist.

    Here is an idea.

    What if we create an “admin” account and give it the lowest possible site permissions of “subscriber” then once an hacker tries to access it a few times, Better WP Security locks that account killing all attempts from then on?

    Is there any down side to having an account for “admin” which has no powers?

    Hrmmmm.

    It’s like a trojan login!

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘How to ban admin logins?’ is closed to new replies.
Skip to toolbar