Permanently blacklisted IP still trying to access files

AThomas92
(@athomas92)

9 years, 7 months ago

Hi,

We’ve been having trouble with someone trying to hack into our WP site over the last couple of days (from the behaviour it looks like a brute force attack). I’m confident they won’t be able to gain access but to try and prevent the requests from adding to the server load I blacklisted the IP through WP security (I did this yesterday morning).

However, when I got into the office and checked my emails this morning, I found another ~400 emails from iThemes saying the same IP had been permanently locked out for trying to access a file that doesn’t exist.

Here’s a copy of the latest email from iThemes:

Dear Site Admin,

A host, 100.43.81.142, has been locked out of the WordPress site at http://www.hiblio.eu due to too many attempts to access a file that does not exist.

The host has been locked out permanently .

*This email was generated automatically by iThemes Security. To change your email preferences please visit the plugin settings.

Surely this means the blacklisting hasn’t worked, because they wouldn’t even be able to try and access the files in the first place?

Any help would be much appreciated.

Thanks

https://wordpress.org/plugins/better-wp-security/

Viewing 6 replies - 1 through 6 (of 6 total)

Plippers
(@plippers)

9 years, 7 months ago

@athomas92

This is my current situation with iThemes Security too. I’m afraid I can’t be of help, but adding my voice and subscribing to this post!

Good luck!

kaifanun
(@kaifanun)

9 years, 7 months ago

Hi, Same here. permanently blacklist not working. Same IP still hitting my server.

*B.V.RammannaRaau*
(@reviewkeys)

9 years, 7 months ago

One of the following are best solutions to avoid brute force attacks.

1.My first choice is adding http authentication to wp backend (even login url is changed to custom one).
2.Change default login or backend access of wp to custome one, i use hide back end feature of iThemes Security.
3.Crawling frequency is too high from some rogue bots, crawlers, search engines, spiders etc. Block them using .htaccess. If possible block specific countries where you don’t have bussiness.
4.Protection site with Project HoneyPot or Cloudflare or ButeProtect or similar ways.
5.Country specific blocking either ip tables or using plugins like IQ Block Country.

My best bet as follows:
iThemes Security + HTTP Authentication + IQ Block Country without any conflicts these combinations work.

ButeProtect is also good option as it is acquired by wordpress developers company Automatic just couple of days back. It will be added to jetpack in the upcoming version. Till then even Premium feature of this plugin also changed to FREE.

Michael
(@lilmike)

9 years, 7 months ago

Hi,
I am actually getting the same problem. I got around 380 emails in around a 20 minute span, then they stopped. By any chance are you using nginx? If you’re using nginx I believe it says something about you having to restart the server to refresh the ban list.
Hth,
-Michael.

Thread Starter AThomas92
(@athomas92)

9 years, 7 months ago

Hi everyone, thanks for the replies. @b.V.Ramanarao – I’m going to give BruteProtect a go on your recommendation so I’ll let you know how I get on. Thanks 🙂

oogabooga
(@oogabooga)

9 years, 2 months ago

Hi,
I get between 10-20 of these emails a day:

Dear Site Admin,

A host, 148.251.138.201, has been locked out of the WordPress site at http://odindownload-com.com due to too many attempts to access a file that does not exist.

The host has been locked out permanently .

*This email was generated automatically by iThemes Security. To change your email preferences please visit the plugin settings.

Most are just locked out for a few hours and iv had 2 permanently locked out. I was wondering how to tell the difference between real attacks and someone genuinely looking for the file, and most importantly What file is it?
Thanks