Just a month ago I made a website for my client. It’s an eccommerce site (woocommerce) but since about two weeks ago I had reports of about 400+ failed login attempts every day (Nobody apart from me even knows that theres a login for the site, my client has advertised the site either)
I enabled cloudflare’s “I’m Under Attack Mode” Which lowered it to about 2 or 3 a day. But recently I started getting about 40-70 a day, I looked at my cloudflare logs and manually blacklisted those ips but the number keep on increasing.
I made a new user account to see if any login attempts would happen on this one (I had no activity on this new account), But somehow whatever is doing all these attempts found the account and started making attempts on that account too.
Looking further at the logs I can see most of these requests to the wp\_xmlrpc gateway. Although some where through the regular wp-admin and one through a gateway I had never seen before; wp\_woo\_login.
What can I do to reduce all the attempts, Are these alarming?
[ad_2]
Things to do:
1. update all plugin, theme and WordPress.
2. Change login url to custom url
3. Delete admin named username . Use custom usernames.
4. Use 10 digit alphanumeric strong password.
5. Install login limiter plugin or use 2fa plugin.
6. Disable rss and xmlrpc .
7. Use any wordpress hardening plugin and run a basic wordpress audit.
8. If possible change wp config php file permission to read only for time being.
9. Use cloudflare to reduce auto login bots.
This should solve your problem.
Hit upvote if this helps
Disable XML-RPC, limit login attempts, use 2FA, update WooCommerce, change admin URL, monitor logs, harden WordPress, and consider a WAF for security. These attempts are alarming and indicate targeting.
You might have a key logger installed on your computer stealing everything you type in. I can be super paranoid. To test use a completely different computer , location and internet.
You might have an seo plugin enabled.
If it’s just failed logins, that’s kind of normal.
You should figure out what those are, a username that exists or random.
Woocommerce does have its own login page.
Try Wordfence as a local firewall., it’ll block requests when the username just doesn’t exist.
Make any admins or users with roles to anything sensitive use two factor auth.
I have some really awesome Cloudflare WAF rules I use on every website to prevent stuff like this. DM me and I can send over the expressions
You should be able to limit log in attempts with a simple plugin like Wordfence and make sure you have 2fa enabled.
I’ve had this happen a few times a year and always shut it down by having the attempted logins block the IP after 5 tries and have two factor log in enabled
Install Wordfence. Tweak its settings to:
* block any ip after 3 failed attempts
* block to max duration
* immediately block attempts using an unknown username
* disable xmlrpc (in the Login Security > Settings menu)
This isn’t a targeted attack, it’s relatively normal for an unprotected WordPress site.
Also use CloudFlare and setup WAF rules. You can block problem countries. Learn which countries are a problem via your Wordfence logs (Wordfence > Tools menu)
And as always, use strong, complex passwords.
It’s unfortunately something that happens to all of us. It’s hardly I’m Under Attack material. It’s just cybercreeps doing what they do whenever their illicit bots find a WordPress site. Sometimes it seems like running a web site is like scuba diving in a sewer.
Mitigation. Disable self-service account creation. make sure your passwords are strong — hard to guess. This is why the core team added that password-strength meter to the profile page.
If you allow comments use Akismet and require admin approval for first-time comments.
When this gets really bad, MY hosting providers disables wp-login.php, then sends me an email saying so. I can ssh in and re-enable it when I need to, or they’ll do it for me if I open a tix.
Unfortunately, these attempts are normal. I don’t think they’re targeted. Every website gets them. The more popular, the older your site (start ranking higher) the more you will get them.
It is great that you put your site behind Cloudflare. Manually blocking them is one option as you already did, but try to block country or countries that are not your target market.
They are rotating proxies to get around IP, country restrictions.
As long as you use
– DNS level protection with Cloudflare (you already do this)
– 2FA (with app, no SMS)- A password manager to generate and manage your passwords
– Most hacks happen because of plugin/theme vulnerabilities. Keep them all up to date. Remove unused ones.
– On the plugin level, use OOPSpam to minimize spam and abuse on your login forms.