Hi all. I’m really out of date on WP, last time I set up sites manually on my own servers was in the early 2000’s. But I’m trying to help out a friend with a shared project — a local, small-town newsmagazine based on WordPress. Our site is hosted by GoDaddy (not my choice, but porting it would be painful).
We’ve been up for literally *years* with no issues. But this year, this fall, sometime in the last month or three (not sure quite when it started) we’ve started having problems with login denied because “too many failed login attempts.” There are two author/admins, and neither of us has been able to log in for days now. We can still sneak in via GoDaddy, but our wp-admin login page is now useless.
I poked around in the site settings via GoDaddy, and looked at our failed login limit plugin. It keeps some history and stats. I looked at “failed logins per day” stats for the last month and my jaw hit the floor. Either that plugin is corrupted or something very strange is going on, because it’s logging over *1 million* failed login attempts *per day*. Most are from the US, a chunk from Russia, a chunk from China, and so on.
This is really hard to believe because we are a very tiny, very obscure little home-town online newspaper in the back of beyond, BC, Canada. I cannot imagine how or why we would get targeted on this scale. It seems easier to believe that the plugin is corrupted and the numbers are nonsense. But just in case these numbers are correct, I’m scared to turn it off!
I’m not sure what to do next. Is this a common experience? how would we go about recovering? I did try whitelisting (in the failed login limit plugin) my own username and IP address — because my password is fairly guessproof — but it doesn’t seem to help. Still locked out.
We are limping along continuing to update content by the “GoDaddy back door” method but it’s rather painful. Any and all comments, insights, recommendations, advice, etc would be most welcome.
Scratching my head….