1

I installed Sucuri Security plugin on my wordpress site, and it reported me that my website has 10 failed login attempts by my registered username with from last night until now.

My website hasn`t any problem now but what is the meaning of this attack? What should I do now?

Milad Sobhkhiz
  • 111
  • 3

3 Answers3

1

I think it's pretty common nowadays (based in my logs of hundreds of sites) that Wordpress websites are randomly attacked. I'm guessing you still have the login page at /wp-admin/ and that your login name is shown somewhere in your posts (author) or using the "admin" account.

Basically what some bots do, is to get your id from your site (or try with 'admin'), and try easy passwords attempts (like reversed, or very common ones). They don't do brute force because the intention is not to shutdown your website or spend so much resources in a single website. As you see, those bots try to randomly access any wordpress website with weak passwords (not your specific site). They have more chances that way than forcing a single site. In a similar way, bots try to guess your mysql web-based managing tools, which can be seen at your error logs like:

  • phpmyadmin/ , myadmin/ , mysql/ , etc...

In order to protect yourself against those attacks, this is what I recommend:

  1. Use strong passwords (even better, use paraphrases of 15 chars or longer)
  2. Hide your username and display your name instead (however that won't be 100% effective. Your login name may still leak). If your name is "John", don't use "john" as login name.
  3. Add Apache Basic Authentication to your login page
  4. If possible move away your wp-admin/ (do not use: /admin/ or /login/). There are many ways to do it, some of them not so effective.
  5. You can specify which IP addresses to accept at your login page (example: https://wordpress.org/plugins/restricted-site-access/).
  6. Add HTTPS to your login page.
  7. Keep your Wordpress installation up to date

In case you have administration access to your hosting server (in other words, you are not using a shared service), here are further recommendations (some applies only to Linux servers):

  1. Use fail2ban. You can setup special rules to ban anyone who is trying to scan for phpmyadmin/ or more than X login attempts to your login page. (If you don't know how, let me know and I will post here my filters).
  2. Update your server regularly (specially, apache, mysql and php).
  3. Allow access to your login page only from your country (in case you don't travel often). This step will require to install geoip location libraries and to have some scripting knowledge (perhaps there is an easier way to do it?).
  4. Use a firewall and only allow the ports you need.

I may be missing many other ways to protect yourself, but those are the onces I use at my sites (around 500) since 5 years ago, and so far no breach (that I know).

lepe
  • 2,194
  • 2
  • 17
  • 29
  • Thanks @Lepe for advise. about above numbers:

    1. it`s done

    2. I use my name instead username in site pages and posts, but i think, the attacker road my instagram Bio, at there i write my site address and username is same as WP username.

    3. i should do that.

          1. its done.
     – Milad Sobhkhiz Aug 06 '15 at 06:32
0

I have been thinking that you experienced a brute force attack but you claim that only 10 login failed attempts Sucuri plugin reported to you, so that can not be, at least for the moment, that type of attacks. It is rather something manually done (and more likely by someone who knows you, but this is just my personal point of view regarding my experience with it).

Regarding this fact, I can advice you only from this perspective (non brute force attack), so here things you can do by the moment:

  • I do not know which Wordpress version you are using, but early versions of WordPress defaulted admin as username, if this is the case then you need to change it so that the guessing will be harder.

  • Enhance the strength and security of your password. For this case, I do not want to reproduce what is already largely discussed on this website throughout many posts such as this How reliable is a password strength checker?, or here : Password strength metrics or this one Why are salted hashes more secure for password storage?

  • Protect your website by writing ErrorDocument 401 default in your .htaccess file

  • You can filter who's allowed to access to your wp-admin as well as not allowing no referrer request and, why not, setting a firewall which rules you can update using Fail2ban.
Community
  • 1
0

I'm not familiar with the plugin but it looks like some one knows your login username and could have been trying to guess your password. It's not a brute-force really or I would expect to see more failed attempts in the log.

If it was me I would install a linux VM (to avoid key loggers), VPN into a trusted network (avoid password sniffing) and change the Admin username and password on the site. A really strong username and password.

You could also lookup the IP address that was accessing that page. Most Cpanel's will have that or you might be using google's set of tools for traffic analysis.

Levi
  • 163
  • 1
  • 7