Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Uber Authentication Failed Notifications

  • Resolved sadler.oliver

    (@sadleroliver)


    Recently, I am getting a number of failed login attempts notifications from my WordPress multisite install. The notifications are coming from Sucuri Security Plugin I have installed on my WordPress multisite install.

    Message: User authentication failed: test; password: FailedLoginFooter

    – –
    The notification is mostly the same with variation in password sometimes as below:
    – password: ou812FailedLoginFooter
    – password: papitoFailedLoginFooter
    – password: parkerFailedLoginFooter
    – password: password1FailedLoginFooter
    – password: peterFailedLoginFooter

    I have tried to search online but have not been successful in finding a proper reason or a solution to the issue on hand.

    Help will be greatly appreciated from someone who has understanding of the matter or someone who may have encountered this issue in the past and found a fix.

    Thanks.

Viewing 11 replies - 1 through 11 (of 11 total)
  • I have tried to search online but have not been successful in finding a proper reason or a solution to the issue on hand.

    What issue exactly? Are you referring to the text “FailedLoginFooter” at the end of each password? Or to the fact that you are receiving multiple notifications about a password guessing attack?

    If it is the former, I already fixed this in the alpha version of the code here [1] but the changes have not been approved yet. You can install this version of the code from here [2] or wait until the public release in a couple of days.

    Regarding the password guessing attack [3] I suggest you to read this [4] and this [5] to understand what they are and how to stop them. Most people decide to install a firewall in front of their websites to filter out the malicious traffic, others try to block these attacks with elaborate access control rules with their web servers, others use security through obscurity and hide their login page.

    You can use any of these techniques or implement a new one; my personal suggestion is to install a firewall, Sucuri offers one here [6] in case that you are interested to pay for a premium service, there are some free alternatives though here [7].

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/40
    [2] https://github.com/cixtor/sucuri-wordpress-plugin
    [3] https://kb.sucuri.net/definitions/attacks/brute-force/password-guessing
    [4] https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.html
    [5] https://sucuri.net/website-firewall/stop-brute-force-attacks
    [6] https://sucuri.net/website-firewall/
    [7] https://www.google.com/search?q=web+application+firewall

    Earlier when I started receiving these notifications, my concern was brute force attack. However, when the username remained same as “test” and password remained similar overtime, I understood it was something to do with the internal security check with the plugin.

    However, now I am getting too many of these notifications that takes quite some time to sort, read and remove unwanted of these messages.

    If you have already fixed this, will look forward to an updated version in a few days.

    Thanks,

    The fix I was referring to is to remove the “FailedLoginFooter” from the message, but the rest of the information that you are receiving in your inbox is correct, your website is being targeted by someone and is being victim of a password guessing attack, that is why the username remains the same while the program that they are using tries multiple sequences of text as the password.

    What you can do for now, until you decide to put a firewall in front of your website to stop these attacks, is to block the IP address where the requests are coming from. The IP address is included in the messages that you are receiving.

    You can also reduce the number of mails in your inbox by disabling the “Receive email alerts for failed login attempts” option from the “Alerts” panel in the plugin’ settings page, and then enabling the “Receive email alerts for password guessing attacks”. This will instruct the plugin to collect all the failed login events into one single message that will be sent to you every hour with the summary of the attack, so instead of receiving one mail per failed user authentication you will receive just one which will reduce the mechanical work that you are doing by deleting these messages manually.

    Thanks for your help.
    You have been very helpful with all the information.

    Since the IPS are getting locked out after certain number of attempts, the attempts are coming from multiple IPs over a period of time. But they never stop.

    Disabling receiving email alerts would hide such attacks for me or any other administrator. So I would not opt for that option either.

    For the time being before opting for a firewall addons, I have changed the login slug to something more secure.

    If the attacks continue to come, then firewall will be the next step.

    Once again, greatly appreciate your help to put me in the right direction.

    Cheers.

    • This reply was modified 2 years, 4 months ago by sadler.oliver.

    Hi,

    I also get the password: FailedLoginFooter issue as described above.

    The difference is that I have blocked the wp-login.php page. It can only be accessed by one IP address … mine. I have denied access to any other … forbidden !

    But, I still get these email alerts. They are always the same except the IP addresses are changing. username: admin … password: FailedLoginFooter

    Can you advise on a possible course of action.

    Many Thanks

    Regards Mark

    @adaptablewebsites: Since I changed the login page from “your site.com/wp-admin” to “your site.com/customname”, it has reduced.

    For added security measures, since I have business websites on a multisite network, I have paid 1 year subscription with Wordfence for additional premium features like cellphone login and dual authentication.

    I have then blocked all other countries in Wordfence besides specific IP addresses. I can still login from other IPs with dual authentication systems.

    These notifications regarding brute force attacks have reduced drastically.

    Thnaks for your time in coming back to me. Appreciate it. I understand what’s happening now.
    Thnakyou

    Same problem. Always the same user name (“admin”), which doesn’t exist on my site, and always the same attempted password (“FailedLoginFooter”). Different IPs.

    So, this is a problem in the plug-in itself? And, I should ignore it and wait for the patch?

    @bruceinlouisville — did you receive that mail before or after the update to version 1.8.8? The current code [1] is supposed to translate “FailedLoginFooter” to this text [2] which basically contains an explanation of what the mail is about and how to disable such notifications. I have tested this several times and it works as expected, it makes me wonder what kind of configuration does your website has that the text is not correctly translated.

    To answer your question, yes you can ignore that part of the alert for now, I will try to reproduce the issue and fix it for the next version, although the code that we released yesterday with version 1.8.8 was supposed to fix that once and for all.

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/event.lib.php#L513-L520
    [2] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/languages/sucuri-scanner-en_US.po#L304-L306

    @bruceinlouisville – I wonder if the patch would really work. I have got this error even after having a paid wordfence firewall and changed login slug on the backend login as well. So I would think it is something else.

    However, to reduce these notifications and for added security, i am using Rename wp-login.php to change login slug and also I paid for Wordfence annual subscription and changed some security settings and added firewall.

    After these, the notifications that were bothering have reduced to “none”.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Uber Authentication Failed Notifications’ is closed to new replies.