Navigation:

Because WordPress is such a popular CMS used on the web today, many attackers will try to compromise a WordPress website. Knowing how to review WordPress login attempts in your access logs can help you understand and improve your WordPress security.

This past April there was a large WordPress brute force attack where hackers were trying to hack into many WordPress installs. In this guide we'll go over how you can be sure that your WordPress site isn't still getting attacked.

Look at latest visitors in cPanel

To take a quick look to see who has been trying to access your WordPress administration panel, you can simply look in cPanel's Latest Visitors tool following these steps:

  1. Login to cPanel
  2. click on latest visitors

    Under the Logs section, click on Latest Visitors

  3. click view beside domain

    Beside your WordPress domain, click on View

  4. click settings cog select fields to use

    Type in wp-login.php into the search box with the magnifying glass

    Then click the Settings cog on the right, and place a check beside the IP, URL,Time,Status, and Method fields.

  5. wp-login attempts in cpanel latest visitors

    Here you can see that the IP address 123.123.123.123 first had a GET request for the wp-login.php script, followed by 4 POST attempts, all getting a 200 response.

    On the 5th POST attempt the login was blocked and given a 503 response, and this is an indication of a user attemping to login to your WordPress admin, continually failing, and then being blocked by our Mod Security rules on the server.

    You might also see that you have a ton of different IP addresses trying to hit your wp-login.php script here as well, and at a much higher volume. If you're seeing this, then that means your site could still be under a WordPress brute force attack.

Setup a cronjob to email WordPress login attempts

A lot of times you might not be reviewing your WordPress website on a daily basis. In these cases it can be helpful to setup a cronjob to send you a daily report of any attempted WordPress logins following these steps:

  1. Login to cPanel
  2. click on cron jobs in cpanel

    Under the Advanced section, click on Cron jobs

  3. fill out cronjob email click update email

    Under the Cron Email section, fill out your email address where you'd like to receive the daily WordPress login attempt reports, and click Update Email

  4. add new once a day cronjob for wordpress login report

    Now under the Add New Cron Job section, change the Common Settings drop-down to be Once a day (0 0 * * *)

    This will default to sending you an email at midnight local server time, but you can adjust the Hour field if you'd like to have it email you a different time of day.

    Now for the Command field, you'd want to enter in the following command, making sure to replace ~/access-logs/example.com with your own WordPress website's log:

    egrep "POST .*wp-login.php" ~/access-logs/example.com | awk '{print $1,$4,$5,$6,$7,substr($0, index($0,$12))}' | awk '{print $1}' | sort -n | uniq -c | sort -n | sed 's/[ ]*//'

    Then click on Add New Cron Job

  5. The email report will give you a list of IP addresses that were accessing your wp-login.php script, and how many times they did so, and look like this:

    30 58.10.130.202
    30 78.164.24.100
    31 223.207.219.14
    32 171.101.134.230
    32 171.5.251.198
    32 223.204.248.61
    32 88.12.44.113
    33 49.49.168.61
    36 223.205.123.216
    60 95.135.187.135
    100 61.109.125.146

    In this case if we received an email report like above, we can clearly see that we possibly have a brute force attack happening on our WordPress sites, as we have multiple IPs hitting the wp-login.php script multiple times.

Blocking unwanted users from WordPress

If you notice that you have IP addresses trying to access your WordPress admin that shouldn't be, you can go ahead and block unwanted users from your site using .htaccess.

In the example email report above we saw multiple IPs had multiple login attempts, we can block these IPs from even being able to send out website a request by using these .htaccess rules at the top of your .htaccess file:

deny from 58.10.130.202
deny from 78.164.24.100
deny from 223.207.219.14
deny from 171.101.134.230
deny from 171.5.251.198
deny from 223.204.248.61
deny from 88.12.44.113
deny from 49.49.168.61
deny from 223.205.123.216
deny from 95.135.187.135
deny from 61.109.125.146

Now if any of these IPs trys to access your website again, they will be immediately given a 403 access denied error and won't be able to attempt to login to your WordPress site any longer.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Comments

Post a comment
n/a Points
2014-04-01 2:43 pm

I locked myself out of mysite trying to access wordpress. Do I have to wait for it to reset or is it someting I can change inside of inmotion.

Staff
9,521 Points
2014-04-01 2:57 pm
Hello Rafaael,

If you had too many incorrect WordPress login attempts then you would have triggered our WordPress brute force attack security rules. If this is the case, you could wait a full 15 minutes before attempting to login again, and then it should let you back in as normal.

Please note that during that time, if you have other users also trying to login to WordPress this could extend the 15 minute temporary block. In which case you'd want to use one of the methods described in that guide for limiting access to the WordPress admin section such as setting up a secondary WordPress password.

If you're still having issues logging in after waiting a full 15 minutes before trying again, please let us know.

- Jacob
n/a Points
2014-04-05 10:31 pm

I think there's something wrong with the rule to block. I just installed WP. I keep get blocked out on the first login attempt every time.

 

Thanks

Staff
15,308 Points
2014-04-06 10:51 pm
Hello Jim,

The block rule should work as described. You may want to have us check your individual account to see that everything is implemented properly. You may want to reply with your domain name here. We can keep it from being public if you prefer.

Kindest Regards,
Scott M
n/a Points
2014-04-06 11:33 pm

Jim is referring to our VPS hosting account.

I do prefer the domains be kept private, as it's development site not for public consumption.

Thanks,

Stephen

Staff
9,521 Points
2014-04-07 3:08 pm
Hello Jim and Steven,

I'm not seeing any issues when I try to login to the WordPress site that you've mentioned privately.

When you say that you are getting blocked out the first login attempt every time, are you getting redirected to an all white error page that has a link to our article about the WordPress brute force attacks, or something else?

I do not see any mention of the Mod Security rule we use to block WordPress login attempts in your Apache error logs. So it looks like you might be having a completely separate issue.

- Jacob

n/a Points
2014-04-07 9:30 pm

Yes. The logs only show 7 requests, first landing on wp-login.php and 4 for its respective css files and one for the log.  The seventh entry is the POST to wp-login.php.  Every first attempt results in the white page saying login has been delayed.  We are not being brute forced attacked, yet we are locked out because somewhere a rule thinks so.

71.139.167.221 - - [06/Apr/2014:17:00:58 -0700] "GET /wp-login.php HTTP/1.1" 200 2960 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-includes/css/dashicons.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/css/wp-admin.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-includes/css/buttons.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/css/colors.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/images/wordpress-logo.svg?ver=20131107 HTTP/1.1" 304 - "http://spiv2.org/wp-admin/css/wp-admin.min.css?ver=3.8.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
71.139.167.221 - - [06/Apr/2014:17:01:48 -0700] "POST /wp-login.php HTTP/1.1" 503 813 "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"

 

Thanks!

Jim

Staff
7,372 Points
2014-04-08 7:45 am
As you can see from these logs, there are several POST requests to your wp-login within just a couple seconds which if they are failed logins, will certainly block access to your WordPress admin. I recommend fully protecting it with your .htaccess file.
n/a Points
2014-04-09 3:48 pm

Actually, as you can see in the logs there is ONE POST request. One intial GET request for wp-login.php The remaining are GET requests. In other words, GET requests from the referring page wp-login.php, as I already pointed out.

Why is this a new comment btw... It was supposed to a reply to JacobIMH in the thread we started above.

Staff
9,521 Points
2014-04-09 4:36 pm
Hello Jim,

I just tested again and this time I also got our ModSecurity block on your WordPress site.

I went ahead and disabled specfic ModSecurity rules dealing with our WordPress brute force protection, so that your site is still protected from other types of attacks.

Being that our protection is disabled for your WordPress site, you'll want to be sure that you follow the steps from our WordPress brute force guide to help protect your WordPress installation from attackers.

Please let us know if you're still having any issues at all.

- Jacob
n/a Points
2014-04-26 4:41 pm

How can I stop this web site from being blocked my web site is time sensitive

Staff
15,308 Points
2014-04-28 12:46 am
Hello Peter,

If you are being blocked from accessing your website admin area, you will want to perform the steps included in our WordPress brute force article.

If your site is being suspended by our Systems team, you will want to contact our Live Support team to investigate the cause.

Kindest Regards,
Scott M
n/a Points
2014-06-18 6:42 pm

Wordfence is a pretty good plugin for defeating Brute Force attacks...

Staff
9,521 Points
2014-06-18 7:05 pm
Hello Peter,

Yes the WordFence plugin in one of many WordPress security plugins that can help with WordPress brute force attacks.

Thanks for your comment!

- Jacob
n/a Points
2014-07-18 3:47 am

Hii,

I am facing a problem to login in my Wordpress admin panel ... When I open my Wordpress admin panel page it show me nothing, just a message

LockeD By MED

pass plz:

Please help me to get rid out of this ..

Thanks in advance

Regards

Lisa

Staff
9,521 Points
2014-07-21 3:47 pm
Hello Lisa,

Doing a Google search for LockeD By MED and WordPress, it seems like this could be an indication of your WordPress website being hacked.

I was unable to find any account information for you in our system based off the email address you submitted this comment under. But I might recommend you take a look at my guide on how to reinstall WordPress after a hack to see about possibly getting this hack cleaned up from your site and allow yourself back into the WordPress admin section.

You might wish to also contact your web host directly and let them know about these issues so that they can take a look on the server and in your WordPress database for any signs of malicious activity or a possible hack.

- Jacob

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

News / Announcements

WordPress wp-login.php brute force attack
Updated 2014-07-17 06:43 pm EST
Hits: 201644

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!