Title: WordPress site under attack Last modified: August 30, 2016 --- # WordPress site under attack * [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/) * I have a WordPress site that is under attack. * I am using the limit login attempts plugin. So I get an email for every failed attempt. I have had about 30 attempts today each one using a different IP, about 30 mins apart (as my plugin is blocking that IP on a failed attempt). * I am using nginx and have made /wp-admin hidden so it returns forbidden. * I have also changed wp-login.php to wp-login.php_somethinghere * But for some reason its not stopping the attempts. My guess is that the hacker must be using a proxy server and posting directly to a file but which one? Any ideas? * Thanks! * IP list so far in case it helps in some way: 118.233.70.30 180.59.50.128 39.32.199.149 79.145.164.4 167.114.65.164 77.69.112.109 46.121.15.5 158.58.234.54 213.10.32.143 175.156.93.187 188.129.70.61 197.33.38.181 88.101.96.99 94.230.84.105 79.177.108.110 103.17.100.19 210.186.202.223 154.73.58.75 84.50.17.141 161.0.114.2 84.117.177.188 79.118.2.76 191.112.79.22 79.175.76.39 186.188.59.171 178.164.239.156 62.113.0.40 41.104.65.205 188.247.74.185 62.201.234.172 105.236.232.213 46.120.162.182 190.163.215.166 75.185.243.125 121.54.47.162 39.7.55.179 77.196.18.14 Viewing 15 replies - 1 through 15 (of 25 total) 1 [2](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/?output_format=md) [→](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/?output_format=md) * Anonymous User 9055193 * (@anonymized-9055193) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6328826) * You’ve done a great job to pay attention to security thus far. Sounds like the plugin is doing its job. Also keep in mind: these “attacks” will always occur. You’ve probably already read this, but it’s worth another look… * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6328830) * Thanks Tada, * Yes, I have already read that. I am doing the normal stuff like not using admin as the username, etc. * But my real question is – how can someone attempt a username combo when wp-login. php has a different file name? I took a look at the code and it seems that the login form posts to itself. * Anonymous User 9055193 * (@anonymized-9055193) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6328838) * That’s a good question. They are really looking for the input form. The file name is irrelevant. I recommend protecting your wp-login.php … * Password Protect wp-login.php [https://codex.wordpress.org/Brute_Force_Attacks](https://codex.wordpress.org/Brute_Force_Attacks) * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6328960) * Thanks Tada, * I took a look at the page on brute force attacks and it recommends protecting wp-login.php…. but that’s the thing. I renamed it so there is no (easy) way that a bot could detect the new file name. That is why I am so confused about how attempts are still being made. * If someone could explain this to me I would appreciate it. * And yes, my site is still under attack for the 3rd day now. * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329050) * Update. I am still getting attacked. * I went ahead and did a full nginx IP block: * ``` location ~ ^/(wp-admin|wp-login.php) { deny all; } ``` * But I am still getting login attempts emailed to me via the limit login attempts plugin. What is going on? How can I stop this? * [leejosepho](https://wordpress.org/support/users/leejosepho/) * (@leejosepho) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329053) * Bolting a door closed does not stop people from knocking, so I would guess you are getting knock reports. * Do you have any throttling in place or are you actually getting hammered? Wordfence Security can throttle anything and everything, and NinjaFirewall can stop some requests before they ever even reach WordPress. And for actual security at the level of .htaccess, BulletProof Security is best-in-class. * [TrueMiller](https://wordpress.org/support/users/truemiller/) * (@truemiller) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329054) * Use [Cloudflare](http://cloudflare.com), it will resolve the DDOS problem and make your site faster overall! * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329055) * [@truemiller](https://wordpress.org/support/users/truemiller/) – I am using Cloudflare on the high setting. * [@leejosepho](https://wordpress.org/support/users/leejosepho/) – I am going to install Wordfence now. * Thanks! * [Davler Labs](https://wordpress.org/support/users/davler-labs/) * (@davler-labs) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329056) * Hey Scott, * If you’re currently using cloudflare (on high), currently denying IP addresses via nginx and are still receiving notifications that login attempts are being made there’s a possibility those are delayed messages still trickling in. However, if they are live and accurate notifications you may have something more serious on your hands. * _[Moderated]_ * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329057) * @Davler, Thanks for the help, but if you’re adamant that someone needs more support than this forum can provide then you can just forward that person onto [WP Jobs](http://jobs.wordpress.net). * [Davler Labs](https://wordpress.org/support/users/davler-labs/) * (@davler-labs) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329058) * [@andrew](https://wordpress.org/support/users/andrew/), * I’ve asked Scott some specific questions that he may not want to specifically provide publicly. Once our conversation has completed, I’m more than willing to share the verdict reached here on the thread. * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329059) * That’s a shame that the conversation appears to have been diverted privately. * Thread Starter [Scott Paterson](https://wordpress.org/support/users/scottpaterson/) * (@scottpaterson) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329060) * No worries. * Davler took a look at my site and recommend that I change the permissions to wp-login.php. I gave it a try and set /wp-login.php to 600. If I need to login, I can just temporary change it – I am fine with that if it works. * Since I did that I have only had 1 attempted login, which may have been before I changed the permission and delayed a few minutes. It does appear to have helped at this point. Ill have to wait a few hours and see. * I’ll keep this thread updated for others which may be having the same problem. * Thanks to everyone who has helped, Scott * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329061) * Please Scott, never give away access to your site again. I know you want the solution fast and easy, but you’re asking for help on forums so you should be okay with the limitations. All people can do here is post through text. You shouldn’t then try to go around the limitations by getting people to contact you privately. * [@davler-labs](https://wordpress.org/support/users/davler-labs/), I hope I’ve made it clear that contacting people off the forums is not okay. I really hope you didn’t enter someone’s installation too! * [leejosepho](https://wordpress.org/support/users/leejosepho/) * (@leejosepho) * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/#post-6329063) * > That’s a shame that the conversation appears to have been diverted privately. * Yes, that is never okay, and especially not after solicitation. Viewing 15 replies - 1 through 15 (of 25 total) 1 [2](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/?output_format=md) [→](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/?output_format=md) The topic ‘WordPress site under attack’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 25 replies * 8 participants * Last reply from: [leejosepho](https://wordpress.org/support/users/leejosepho/) * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-site-under-attack/page/2/#post-6329095) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics