WordPress.org

Ready to get started?Download WordPress

Forums

Project Force Field
Most "attacks" have been thwarted. A few going to new URL. (6 posts)

  1. dmpp
    Member
    Posted 9 months ago #

    This plugin is great! Thank you for your work and effort.

    I would say 99.9% of attempts have stopped.

    However there a few have started on safe-entrance.php.

    https://wordpress.org/plugins/project-force-field/

  2. offordscott
    Member
    Posted 9 months ago #

    dmpp, thanks for your feedback. Let us know how many attempts are made on safe-entrance.php

    We have some cool stats we can share regarding our own server and how PFF has saved us bandwidth. Just yesterday alone, we counted 5683 attempts blocked.

    Scott Offord
    Orion Group

  3. dmpp
    Member
    Posted 9 months ago #

    Hi Scott,

    Thanks for getting back to me.

    We've had about 10-15 attempts to login to the safe-entrance.php page. Which is WAY better than what we had going on before. We had about 42,000 attempts since mid-November, and 28,000 of those have been since the end of March. So I'm very thankful for your plugin!

    I'm using the stop spammers plugin along with yours, so that it blacklists IP's as well - although they can be easily spoofed.
    See: http://wordpress.org/plugins/stop-spammer-registrations-plugin/ It also helps with fake form submissions/spammers a great deal.

    Do you have a command prompt script I could use to check the site headers? I've tried some web-based ones and they're all coming back showing me a temp redirect from wp-login.php to safe-entrance.php.

    For example, I used this: http://urivalet.com/ and put in the url to my wp-login.php

    Here's what was returned: (I changed my real domain to domain.com in the content below)

    1. REQUESTING: http://www.domain.com/wp-login.php
        GET /wp-login.php HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Accept-Language: en-us,en;q=0.5
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 AlexaToolbar/alxf-2.19
        Host: www.domain.com
        Connection: Keep-Alive
    
    SERVER RESPONSE: 302 Found
        Date: Mon, 12 May 2014 14:16:30 GMT
        Server: Apache
        X-Powered-By: PHP/5.4.27
        X-Pingback: http://www.domain.com/xmlrpc.php
        Expires: Wed, 11 Jan 1984 05:00:00 GMT
        Cache-Control: no-cache, must-revalidate, max-age=0
        Pragma: no-cache
        Set-Cookie: kpg_stop_spammers_time=1399904192;
        expires="Mon, 12-May-2014 14:17:32 GMT"
        Location: http://www.domain.com/safe-entrance.php
        Content-Length: 0
        Connection: close
        Content-Type: text/html; charset="UTF-8"
    
    Redirecting to http://www.domain.com/safe-entrance.php ...
    
    2. REQUESTING: http://www.domain.com/safe-entrance.php
        GET /safe-entrance.php HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Accept-Language: en-us,en;q=0.5
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 AlexaToolbar/alxf-2.19
        Host: www.domain.com
        Connection: Keep-Alive
    
    SERVER RESPONSE: 200 OK
        Date: Mon, 12 May 2014 14:16:32 GMT
        Server: Apache
        X-Powered-By: PHP/5.4.27
        X-Frame-Options: SAMEORIGIN
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        Pragma: no-cache
        Set-Cookie: kpg_stop_spammers_time=1399904193;
        expires="Mon, 12-May-2014 14:17:33 GMT"
        Set-Cookie: wordpress_test_cookie=WP+Cookie+check;
        path=/
        Set-Cookie: PHPSESSID=l3fikmuoao3onkq79kkl9bhkv1;
        path=/
        Connection: close
        Transfer-Encoding: chunked
        Content-Type: text/html; charset="UTF-8"
    
    Destination URI: http://www.domain.com/safe-entrance.php
  4. Faison
    Member
    Plugin Author

    Posted 9 months ago #

    Hi dmpp,

    Thanks for the kind words :D

    You shouldn't be getting a 302 redirect when trying to access <your site>/wp-login.php, should always 403. But you can type the following into your terminal to test that manually:
    curl -I <your site>/wp-login.php

    By the way, If people start to get smart, PFF will automatically change the login url after 30 or more login failures occur in a minute.

    Finally, how do you know those 10-15 attempts weren't legit login attempts?

    Thanks,
    Faison

  5. dmpp
    Member
    Posted 9 months ago #

    Hi Faison,

    Thanks - I will try the cURL command when I get a chance.

    I know the login attempts were fake because of the stop spammer plugin. It shows me the username and password that was attempted, along with the IP. Majority of the attempts are like this - same username and password, but the IP is changing:

    2014/05/13 08:18:29     96.44.***.****     Gabriel*****/**********     /safe-entrance.php

    (I masked the IP part of the username and the password)

  6. Faison
    Member
    Plugin Author

    Posted 9 months ago #

    Hi dmpp,

    Weird, are they using the same wrong password several times over? Either way, it sounds like Project Force Field is working as intended on your site.
    Since the goal of Project Force Field is to protect WordPress site's from brute force attacks, there's not much we can do to help you with those remaining attempts, sorry :(

    If you don't mind, though, could you copy some of those nice things you said and paste them into a plugin review :D http://wordpress.org/support/view/plugin-reviews/project-force-field#postform

    Thanks,
    Faison

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.