Login Security Solution
[resolved] Stopped recording IP in database? (9 posts)

  1. cdrak0715
    Posted 2 years ago #

    I can see in the website log that there have been attempts to access wp-login.php, but the IPs aren't listed in the wp_login database. Any ideas?


  2. Daniel Convissor
    Plugin Author

    Posted 2 years ago #

    LSS failure tracking gets stored the wp_login_security_solution_fail table.

  3. cdrak0715
    Posted 2 years ago #

    Sorry, I'm afraid my original post wasn't clear. I can see attempts in the latest visitor logs from my hosting service, but I don't see them recorded in wp_login_security_solution_fail. There's a gap in the records. Some attempts did get recorded later in the day, but it's odd that some were skipped. The only thing I can think of is that whoever found the log in page, didn't try to log in which is weird, but it's the only thing that makes sense.

    On the bright side, it looks like there hasn't been an attempt since yesterday afternoon (around 3pm EDT), so maybe they're taking the hint!

  4. Daniel Convissor
    Plugin Author

    Posted 2 years ago #

    In your web server access logs, were the requests HTTP POST or GET? If it's GET, then it's just the page being loaded. If it's POST, then it's probably an auth request.

  5. cdrak0715
    Posted 2 years ago #

    Not clear from the log. This is what I'm seeing. This IP wasn't recorded in wp_login_security_solution_fail.

    Http Code: 200 Date: Jun 14 02:57:59 Http Version: HTTP/1.0 Size in Bytes: 3117
    Referer: -
    Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0

  6. Daniel Convissor
    Plugin Author

    Posted 2 years ago #

    You're looking at some user interface. You'll need to SSH into the server and look at the raw logs.

  7. cdrak0715
    Posted 2 years ago #

    Yes, I'm looking at it through CPanel.

    Anyway, I'm really confused now. I got a bunch of email alerts about being under attack, but when I lookup the IPs in wp_login_security_solution_fail I only see a few hits for the IPs reported in the emails.

    Example, I got this email

    Component                    Count     Value from Current Attempt
    ------------------------     -----     ---------------------------
    Network IP                       1     188.135.15
    Username                        50     admin

    If I run the following SQL statement:
    SELECT * FROMwp_login_security_solution_failwhereiplike '188.135.15%'

    I get this result:

    fail_id   ip            user_login    date_failed
    2908 admin         2013-06-16 06:19:43
    3161 administrator 2013-06-16 06:31:01
  8. Daniel Convissor
    Plugin Author

    Posted 2 years ago #

    Examine the "Count" column in the email. It shows there was only one hit for the Network IP but 50 for the Username.

    Please note, the email shows the data for the attempt that takes you over the reporting threshold. To show the exact data set in question you'd need to use all three data points in the query's WHERE clause: Network IP, Username and Password MD5. Putting only one or two items in the WHERE clause will produce different results.

  9. cdrak0715
    Posted 2 years ago #

    Thanks for the clarification, explanation and patience. Much clearer now. It seems to me the attempts have slowed since I installed this and that makes me very happy.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.