Wrong Password entries

  • laszlokatona

    (@laszlokatona)


    4 years, 5 months ago

    Hi,

    Our site has so many (~20k/day) “Wrong Password” even if we use captcha v3, disabled xmlrpc and json api.
    We have strong password policy as well but this attack is still disturbing.
    How this plugin counts “Wrong Password”?
    Do you think the attempts blocked by captcha logged as well? (however I only see high score attempts on google dashboard)
    And what about the unauthorized API responses? Are they recorded?

    Thanks in advance,
    Laszlo

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter laszlokatona

    (@laszlokatona)

    4 years, 4 months ago

    Hi, I figured out that these attempts used POST requests to wp-login.php.
    I reproduced the POST request, without any correct captcha verification and got the same “Wrong Password” entry even if the password was correct.

    I use
    “Google Captcha (reCAPTCHA) by BestWebSoft” plugin with reCaptcha v3.

    I understand it is not trivial to distinguish incorrect password and failed captcha verification.
    Do you have any recommendation how to manage it?

    Thanks,
    Laszlo

    amjo31

    (@amjo31)

    4 years, 4 months ago

    I have the exact same issue, though i don’t have captcha on it. it’s crazy, i get wrong password recordings every minute.

    • Author column is empty
    • i get a new IP address each time
    • Type User
    • Label Empty
    • Action Wrong Password
    • Description is showing one of the usernames. But im guessing this is random? because if someone is actually guessing a bruteforce password, the “Author” column show display the full name of that username

    Sincerely,
    paranoid web admin 😛

    Thread Starter laszlokatona

    (@laszlokatona)

    4 years, 4 months ago

    Welcome to the club 🙂
    So far I could identify that in my case these requests were simple POSTs to the login.php.
    I reproduced it manually and the captcha blocked the request, however this plugin logged it as Wrong Password action.
    Therefore I asked here if anyone or the author knows the way how to distinguish these actions.
    Probably it is hard to bypass google’s recaptcha v3 so I’m not nervous about it anymore.

    Hope this information useful for you. I recommend to install re-captcha v3, it is invisible, so won’t annoy the users. I also suggest to disable xmlrpc and wp-json api (with plugin or custom code) as I mentioned above. xmlrpc can definitely bypass captcha while json api leaks user names (I have no idea why they are enabled by default).

    Disclaimer: I’m not a wp expert but have some security related experience in various IT areas.

    rtaust

    (@rtaust)

    4 years ago

    I’m seeing the same issue. ‘Wrong Password’ attempts to all of our admin users. I even deleted one of the users and it still showed ‘wrong password’ attempts for the deleted users…. not sure how that is possible…

    I tried moving the login page, added recapta, and also added 2 factor authentication but still get the ‘wrong password’ attempts.

    Whats going on?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wrong Password entries’ is closed to new replies.