Support » Plugin: Wordfence Security - Firewall & Malware Scan » Multiple wp-login attempts in live traffic

  • Hello,
    I’m really happy with WordFence, it has really helped me securing my site.
    I have a question about firewall and filtering .
    My live traffic shows many wp-login.php and some wp-setup.php attempts from dubious IP sources, coming from ukrain, russia, china, etc who have no business and no interest in my site justifying such activity. There is no blog on this site and no user registration. I have reverted to block all those IPs doing such attempts at wp-login only allowing local regional legitimate traffic.
    Question: am I wrong assuming that these wp-login attempts are malicious or is this “normal” traffic ? Why doesn’t the firewall block IPs coming from bots doing this if its malicious ?
    Thanks for helping me better understand this

Viewing 4 replies - 1 through 4 (of 4 total)
  • It’s “normal” malicious bot traffic…. ever since late November 2016, the number of wp-login “pokes” has risen exponentially on many WP sites. With Wordfence enabled, assuming you have strong passwords enabled, and your site hasn’t otherwise been compromised, you can probably safely disregard these attempts as just “poking”.

    You can block them, but that’s pretty much a game of whack-a-mole. The IPs change continuously, so blocking them becomes pointless, unless you see specific ones appear repeatedly.

    Also – switching to the premium version of Wordfence in order to enable country-blocking also goes a long way to reducing these wp-login attempts.

    NOTE: I am not part of Wordfence support, just a long-time user…

    • This reply was modified 5 years, 4 months ago by bluebearmedia.
    Thread Starter pblondeaux

    (@pblondeaux)

    Thanks a lot for your comments. Yes I use strong passwords, so no harm done yet and instead of trying to whack-a-mole I start blocking the whole subnet, that’s radical and might block some legitimate users but its safer. KR

    “…instead of trying to whack-a-mole I start blocking the whole subnet…”

    From what I could see of this massive rise in wp-login pokes, they come from different IPs with completely different subnets, so really it’s still whack-a-mole. Eventually, you’d end up blocking massive swaths of IPs – very inefficient.

    Country-blocking is much better to restrict access (assuming your site isn’t intended for fully-international visitors), but you could also simply block the more common offenders – Russia, Ukraine, China, France (figuring out the worst offenders in your case would come from reading your logs)….

    Point is, there is really no one single strategy that is available to deal with it – you have to use multiple restriction options.

    • This reply was modified 5 years, 4 months ago by bluebearmedia.
    Thread Starter pblondeaux

    (@pblondeaux)

    I agree that country blocking would be best in my case, these countries are indeed the usual suspects. France is a more complex case because legitimate traffic also comes from there. Selective blocking using a filter detecting “wp-login” attempts combined with a white list might be a solution.
    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Multiple wp-login attempts in live traffic’ is closed to new replies.