Login Security not working?

  • Resolved micsu

    (@micsu)


    11 years, 6 months ago

    Hi!

    I’ve had a couple times in a couple last days had some problems with some sort of single-IP brute force attacks. In Login Security Options I have:
    Lock out after how many login failures: 5
    Lock out after how many forgot password attempts: 5
    Count failures over what time period: 10min
    Amount of time a user is locked out: 30min

    and the following are also checked:
    Prevent users registering ‘admin’ username if it doesn’t exist
    Prevent discovery of usernames through ‘?/author=N’ scans

    I got alerted about blocked IP that was trying to login as user “admin” but when I check my access_log, the same IP has tried login 200 times over 20minutes (post to wp-login.php).

    Why isn’t that blocked much earlier?

    Just noticed that there’s an update for Wordfence plugin (and updated immediately) so this has happend with the version previous to 5.2.6.

    I’m using free version of wordfence

    https://wordpress.org/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)
  • WFSupport

    (@wfsupport)

    11 years, 6 months ago

    Not sure on this. Apply the update and add the user ‘admin’ to the list beside “Immediately block the IP of users who try to sign in as these usernames” on the options page. And then lets see if that fixes it. I’m curious.

    tim

    mwrusnak

    (@mwrusnak)

    11 years, 6 months ago

    @micsu: They might have been blocked — but the access log will still show the visits even when the user is blocked from logging in. You will still even see an HTTP status code “200” in your logs if they were blocked by the limits you set, or you may see a “503” status code if they were blocked by the Wordfence security network.

    In my access logs, though, I found that I can see if the blocking was working because the document size shown in the logs is different when a login is blocked. For example, I might see something like this in my access_log — I trimmed IP, date, referrer, etc. so it’s short enough to be readable here:
    “POST /wp-login.php HTTP/1.0” 200 17904
    “POST /wp-login.php HTTP/1.0” 200 17904
    “POST /wp-login.php HTTP/1.0” 200 17904
    “POST /wp-login.php HTTP/1.0” 200 2377
    “POST /wp-login.php HTTP/1.0” 200 2377
    “POST /wp-login.php HTTP/1.0” 200 2377
    “POST /wp-login.php HTTP/1.0” 200 2377
    “POST /wp-login.php HTTP/1.0” 200 2377
    “POST /wp-login.php HTTP/1.0” 200 2377

    So, in the first 3 POSTs, they were getting the full login form and failure message as a response from wp-login.php, but after that, they got a shorter message from Wordfence.

    It’s hard to test it if you’ve whitelisted your own IPs, but if you can log in as a bad user from a different IP until you get the message, you can see how the message looks in your browser, and see the size of the blocked attempts in your logs.

    WFSupport

    (@wfsupport)

    11 years, 6 months ago

    Great info mwrusnak! Thanks for weighing in.

    @micsu, can you verify this in your access logs?

    tim

    Thread Starter micsu

    (@micsu)

    11 years, 6 months ago

    Thanks for the input, mwrusnak!
    Yes, now that I checked that more carefully, I also see that the accessed document size has decreased after locking the user out from login:

    “POST /wp-login.php HTTP/1.0” 200 5413 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 5419 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 5415 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 5410 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 1540 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 1540 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 1540 “-” “-“
    “POST /wp-login.php HTTP/1.0” 200 1540 “-” “-“
    (and this smaller access repeats 93 times)

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Login Security not working?’ is closed to new replies.