Review WordPress login attempts

Because WordPress is such a popular CMS used on the web today, many attackers will try to compromise a WordPress website. Knowing how to review WordPress login attempts in your access logs can help you understand and improve your WordPress security.

This past April there was a large WordPress brute force attack where hackers were trying to hack into many WordPress installs. In this guide we’ll go over how you can be sure that your WordPress site isn’t still getting attacked.

Look at latest visitors in cPanel

To take a quick look to see who has been trying to access your WordPress administration panel, you can simply look in cPanel’s Latest Visitors tool following these steps:

1. Login to cPanel
2. 

   Under the Metrics section, click on Latest Visitors
3. 

   Beside your WordPress domain, click on View
4. 

   Type in wp-login.php into the search box with the magnifying glass

   Then click the Settings cog on the right, and place a check beside the IP, URL,Time,Status, and Method fields.
5. 

   Here you can see that the IP address 123.123.123.123 first had a GET request for the wp-login.php script, followed by 4 POST attempts, all getting a 200 response.

   On the 5th POST attempt the login was blocked and given a 503 response, and this is an indication of a user attemping to login to your WordPress admin, continually failing, and then being blocked by our Mod Security rules on the server.

   You might also see that you have a ton of different IP addresses trying to hit your wp-login.php script here as well, and at a much higher volume. If you’re seeing this, then that means your site could still be under a WordPress brute force attack.

Setup a cronjob to email WordPress login attempts

A lot of times you might not be reviewing your WordPress website on a daily basis. In these cases it can be helpful to setup a cronjob to send you a daily report of any attempted WordPress logins following these steps:

1. Login to cPanel
2. 

   Under the Advanced section, click on Cron jobs
3. 

   Under the Cron Email section, fill out your email address where you’d like to receive the daily WordPress login attempt reports, and click Update Email
4. 

   Now under the Add New Cron Job section, change the Common Settings drop-down to be Once a day (0 0 * * *)

   This will default to sending you an email at midnight local server time, but you can adjust the Hour field if you’d like to have it email you a different time of day.

   Now for the Command field, you’d want to enter in the following command, making sure to replace ~/access-logs/example.com with your own WordPress website’s log:

   egrep “POST .*wp-login.php” ~/access-logs/example.com | awk ‘{print $1,$4,$5,$6,$7,substr($0, index($0,$12))}’ | awk ‘{print $1}’ | sort -n | uniq -c | sort -n | sed ‘s/[ ]*//’

   Then click on Add New Cron Job

5. The email report will give you a list of IP addresses that were accessing your wp-login.php script, and how many times they did so, and look like this:

   30 58.10.130.202 30 78.164.24.100 31 223.207.219.14 32 171.101.134.230 32 171.5.251.198 32 223.204.248.61 32 88.12.44.113 33 49.49.168.61 36 223.205.123.216 60 95.135.187.135 100 61.109.125.146

   In this case if we received an email report like above, we can clearly see that we possibly have a brute force attack happening on our WordPress sites, as we have multiple IPs hitting the wp-login.php script multiple times.

Blocking unwanted users from WordPress

If you notice that you have IP addresses trying to access your WordPress admin that shouldn’t be, you can go ahead and block unwanted users from your site using .htaccess.

In the example email report above we saw multiple IPs had multiple login attempts, we can block these IPs from even being able to send out website a request by using these .htaccess rules at the top of your .htaccess file:

deny from 58.10.130.202 deny from 78.164.24.100 deny from 223.207.219.14 deny from 171.101.134.230 deny from 171.5.251.198 deny from 223.204.248.61 deny from 88.12.44.113 deny from 49.49.168.61 deny from 223.205.123.216 deny from 95.135.187.135 deny from 61.109.125.146

Now if any of these IPs trys to access your website again, they will be immediately given a 403 access denied error and won’t be able to attempt to login to your WordPress site any longer.