Support » Plugin: Wordfence Security - Firewall & Malware Scan » Repeated attempts to log in to admin

  • Resolved haveonelikethis

    (@haveonelikethis)


    Hi
    I am using the latest free wordfence and it is doing all that I would want it to do – super protection. But for the past week or so I have been inundated with repeated attempts to log in as admin or sometimes user by numerous itterations of for example 78-7-3-214-static.albacom.net . The wordfence stops all these as I have been canny enougth to use a more complicated version of user id for admin. So far all well and good as the scum have been blocked. What I am worried about is what effect is this having on the server and what load is being placed on the system as this seems like a DDOS attack. Is there any way of blocking all traffic from the base address ie all traffic from albacom.net. There seem to be only about three of these domains that must have been hacked.
    Sorry if this is long but I am fed up to the back teeth of this type of attack.
    Colin

    https://wordpress.org/plugins/wordfence/

Viewing 15 replies - 1 through 15 (of 81 total)
  • I’m seeing the same from various IP ranges on albacom.net and also fastwebnet.it across several sites I manage. I’ve tried a few different settings in advanced blocking but haven’t hit on a blanket fix yet.

    I would think the Real-Time WordPress Security Network would be blocking these by now, but apparently not.

    exactly what I have tried and experienced. Surely the wordpress security network can do something about this. It seems to be a wholesale attack blasted out everywhere. Any response from the security guys?

    I too can second this. I am regularly seeing those two ip ranges and am considering removing the login page temporarily to prevent a ddos attack unless wordfence can do something to block them.

    Try setting Wordfence to immediately block login attempts with the username “admin”, then either block the range of IP addresses manually through your .htaccess file or, if available, through your cPanel -> Security -> IP address Deny Manager

    Btw. Backup your .htaccess file first before making any changes as it is very sensitive.

    I have been seeing the same thing for about a week. I immediately block login attempts with the username “admin” and I have the lockout set for 60 days. I am also using advanced blocking to block ranges of IP addresses. They try with 12 to 16 IPs about every four hours. I’m not sure why they continue to waste their time.

    Please take the time to report the problem to the ISP. If they hear from enough of use maybe they will do something.

    [ redacted ]

    fastwebnet.it is FASTWEB-POP-INTERNET their abuse contact is abuse@fastweb.it

    They are going to want as much of a log as you can provide. It should include dates, times, type of attack, their IP numbers and the IP and domain name of your wordpress site.

    If anyone knows the full range of IP addresses for either one of these ISPs please share it. I’d much rather see this bot network shut down than blocked. I almost always report this type of thing. If it is a bot on a US web hosting provider they almost always find and remove it.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    If anyone knows the full range of IP addresses for either one of these ISPs please share it.

    *Drinks coffee*

    Please don’t do that (sharing that info I mean). Blocking IPs is a temporary solution as those bots will find some other set of hosts to abuse your server from.

    And the permanent solution is?
    “Goes back to sleep”

    Plugin Author WFSupport

    (@wfsupport)

    @jan – No coffee drinking unless you brung enough to share 😉

    Head over to http://www.wordfence.com/ and check out the graph if you want to see the numberr of attacks going on right now. When I posted this, it was almost 29,000 a minute.

    Another thing you can do to help is check the box to participate in the wordfence security network. That way when someone else in our network blocks aa spammy ip address, it blocks it on your site too.

    David has the right idea, though. The ISP’s should know who is infected on their network and reporting it to them helps.

    tim

    I just did a count of the hits from static.albacom.net and there were over 400 static.albacom.net IP addresses involved since 12/10/2014. I am sure it is about the same for fastwebnet.it. There were a few from other ISPs including Comcast Business but most of the other ones were also Italian ISPs.

    This has been the most persistent attack I have seen since installing Wordfence. This is also by far the most bot IP addresses on two ISPs that I have ever seen. I am assuming it keeps rotating targets and gets back to me about every four hours.

    Plugin Author WFSupport

    (@wfsupport)

    We’re in the tail end of a pretty big attack cycle. We only see about 17,427 attacks a minute right now but last week it was somewhere near 40,000 a minute!

    tim

    Do you know if Albacom and Fastweb ISPs have begun working on this problem. I am getting 4 or 5 fewer IPs because I have most of them blocked but I am still getting attacked every four hours.

    I have exactly five login attempts every four hours from the last two weeks.
    All attacks comes from fastwebnet.it (and always from a different IP)

    Well thanks to Barnez I immediately blocked admin and this seems to have done the job as I am not now getting plagued with all the logging attempts ALTHOUGH some other wordpress sites where I have not done this have gone quiet as well so maybe the ISP’s have managed to smash these attempts.
    At last look there were over 11,369 attacks per minute so looks like there is still major activity out there. My concern is still what effect it has on the server load with all these login attempts.
    Anyway many thanks to everyone for their support and ideas.
    Happy new year to one and all

    I’m seeing this as well, but only on one particular WordPress site (out of several I manage). It started over a week ago. I get between nine and twelve admin login attempts every four hours, always from different IP addresses, but all from static.albacom.net and fastwebnet.it.

    I tried to report the attacks from Albacom to abuse.italy.g@bt.com, but their inbox was full. I reported to ipstaff.italy@bt.com as well, but so far no reply.

    I have Wordfence configured to immediately lock out attempts to log in as ‘admin’ and keep them locked out for 60 days, but since the attacks rarely seem to use an IP more than once, this doesn’t do much to stem the flow.

    I understand that Wordfence is doing its job, so I’m not concerned about potential damage to my site. But something funny is clearly going on in Italy, and someone needs to know about it so they can fix it.

Viewing 15 replies - 1 through 15 (of 81 total)
  • The topic ‘Repeated attempts to log in to admin’ is closed to new replies.