Is WHM your cpanel for the webhost?
tim
What response codes are they giving? Or can you just see they are arriving at the site?
tim
I use WHM myself — where are the brute force attempts shown?
If it is under “cpHulk,” that is separate from your WordPress logins. cpHulk doesn’t monitor WordPress or any other software on your hosted sites — but it does protect WHM/cPanel logins, SSH, FTP, and possibly local mail accounts.
They have more detail here:
https://documentation.cpanel.net/display/ALD/cPHulk+Brute+Force+Protection
Hope this helps.
Thread Starter
monk3
(@monk3)
@mwrusnak: It gets me another step closer, thanks.
Thread Starter
monk3
(@monk3)
@tim: Not seeing any codes. Here’s an example, redacted:
6 failed login attempts to account info@hhhhhhhhh.com (pop3) — Large number of attempts from this IP: 94.102.xx.xxx
Reverse DNS: user186.xxxxxxxx.net
Origin Country: Netherlands (NL)
@monk3: That is actually normal in WHM — Wordfence can only monitor and control web traffic that is reaching the site that WordPress+Wordfence is installed on — usually under a single cPanel user you created, unless WordPress is installed as the main site.
The log message above mentions “(pop3)”, which means they’re actually trying to access email accounts, like a desktop mail client would, which doesn’t go through the web server software — so Wordfence cannot see that at all.
On a site I handle, we actually turned off pop3, because none of us need to use that to access email anyway. We use IMAP instead, and don’t get nearly as many attempts there. We still get a lot of access attempts on SSH and some on FTP though, which also cannot be addressed by Wordfence. cpHulk does do a pretty good job of protecting those services, though, assuming no one is using really bad passwords that would be guessed in a small number of attempts — our only problem is that large attacks can significantly slow down our server for a while.
Thread Starter
monk3
(@monk3)
@mwrusnak: Your info is very helpful. I didn’t realize inputs.
We do have hulk as well as part of a number of defenses, and the total sum seems to be working well.
Question: in WF, (1) how long do you typically block them for? (2) do you ever make them permanent? (3)How do you determine who to block from the site as compared to locking out from login, and on what basis?
Thanks.
@monk3:
1 & 2 — For me, Wordfence has mostly been working well enough with automatic blocking, with the Wordfence security network turned on. (If you are familiar with your access_log files, you will see that when someone is blocked by the Wordfence network, it will have a 503 HTTP response.) I usually only block an address manually if I see it coming back for 20-30 minutes or more, just because it seems to end their request a little faster (probably due to other plugins not needing to do any processing). Usually, when I see an address repeatedly trying to log in that is obviously not a real user, I’ll block them permanently.
3 — I generally block them from accessing the site entirely, since I’m only manually blocking IP addresses that are obviously bad. I often see that their hostnames are hosting companies, which wouldn’t be a normal user anyway. In the site I’m working on, 90%+ of users are from one region, so the China and Russia IPs are very unlikely to be real users, too — so I’m typically not worried that I’ll be blocking people with dynamic IPs that might end up assigned to another real user, or people sharing an IP on public wifi — but that might be a consideration for you, depending on your site’s audience.
