First, change your password IMMEDIATELY.
the rate limited proxy seems to be related to google adsense, at last according to my googling. However, it should not be able to login. It’s possible (maybe even probable) that IP address was spoofed.
maybe it is hacker attack…. you should change your password to a strong one
Yep – restored the site to a backup taken before the rogue login, and changed the password.
I don’t think it was a hacking attempt; nothing seemed out of place or to have changed.
It still nags though. Google *could* do this, but why would they want to?
AFAICT from the docs, the password stored in your browser is stored locally. If you enable synching between different devices, the synch is encrypted to a key of your own choosing. I sincerely doubt that Google is hacking your website.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
I doubt it’s Google. It’s pretty common-place for bruteforce attacks to spoof their IPs these days, and Google seems to be a common choice for them.
When most folks see a bruteforce attack, they act immediately by blocking the IP, but if the IP is from something like Google, folks tend to hesitate as you just did, buying the hackers a bit more time. Google has no reason to log in to your site, so I’m pretty sure this was the case.
If you’re using the Jetpack plugin already, switch on its Protect module, as that will lock out IPs for a set amount of time after a set number of failed login attempts (and that amount of time increases for each repeat failure). https://jetpack.com/support/security-features/
If you aren’t a Jetpack user, try https://wordpress.org/plugins/limit-login-attempts/ which despite its age still works great and is actually still installed as default by a few reputable hosts.
It’s probably a server related to Google Cloud Platform running malicious code on behalf of a subscriber. If you can provide access logs from that IP, with timestamps, to GCP’s abuse contact, they could in theory shut down that subscriber. No guarantees if GCP will actually take action, I would hope so, but they could be overwhelmed with abuse complaints and ignore all but the very worst.
It’s up to you to decide if it’s worth the effort. Kicking bad actors off the Internet is a worthy (but rather hopeless) cause, they will likely reappear as a different subscriber.
FWIW, it’s not really possible to spoof IP addresses, provided the address is from the result of the TCP handshake. What happens is a lot of poorly written software tries to “see through” proxy or load balancer IPs by using the “X-Forwarded-For” header or similar. IPs from HTTP headers ARE spoofed all the time. It’s foolish to rely on such headers. I would expect Wordfence knows this and the IP it reported is real, though I cannot say for sure.
