Support » Plugin: Wordfence Security - Firewall & Malware Scan » Huge upswing in login attempts over last 24 hours

  • Resolved Bev

    (@bstofko)


    I manage about 50 websites. Starting early Jan 31 there was a huge increase in login attempts on most of the sites. One common user name that was attempted is “indoxploit”.

    The sites are configured to “Immediately lock out invalid usernames”, but that didn’t seem to be happening. The login attempts were logged as a yellow type “Type: Failed Login” rather than the usual “Type: Blocked”.

    My question is why would these attempts not be blocked?

Viewing 3 replies - 1 through 3 (of 3 total)
  • There’s a bot network that tries a list of usernames fed to them from the darkweb, “indoxploit” is on that list. I’ve seen that name attempted on my sites many times.

    The bot net is using VPNs, so even if you have WordFence configured to immediately lock out invalid usernames, WordFence will lock out that username but the botnet will use a VPN to try and attack from another IP.

    When WordFence says it will block the username what they mean is they will block that IP address that attempts that username. If the botnet changes IP addresses through a VPN and tries the same username, there’s nothing WordFence can do about that other than block it the next time they try again. Either way WordFence is doing it’s job. There’s not much you can do either. It’s frustrating but it’s the nature of the Internet.

    If you’re getting hit, it means your IP is on the list now too so you’ll see more activity. Either you had malware on your server at one point, or your are on a shared server and another site on your shared IP had malware. Either way someone on your IP or that had your IP address earlier had malware and triggered being added to the “attack this server” list for the botnets to hit, that’s why you’re seeing attempts.

    But don’t fret, as long as you have your WordFence policies set properly, they will not get in.

    Thread Starter Bev

    (@bstofko)

    My issue is that the login attempts were not actually blocked, they were logged as failed login attempts but were not blocked.

    Thread Starter Bev

    (@bstofko)

    I did a lot of digging and added some logging to try to understand what was happening. I discovered that the login attempts that are not being blocked are made with an empty password. I wonder whether these attempts should be blocked due to the invalid username, rather than giving the 200 success return and the standard WordPress “ERROR: The password field is empty.” page. I am not sure why these bots are attempting logins with blank passwords.

    I think it would be helpful if the Live Traffic display contained a bit more information.

    Currently I see this when an invalid username/empty password is attempted:

    Type: Failed Login West Palm Beach, United States attempted a failed login using an invalid username “Admin”.

    A better message would include $authUser->get_error_code():

    Type: Failed Login West Palm Beach, United States attempted a failed login using an invalid username “Admin”, failed due to empty password.

    Or event better:

    Type: Blocked West Palm Beach, United States attempted a failed login using an invalid username “Admin”, failed due to empty password.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Huge upswing in login attempts over last 24 hours’ is closed to new replies.