Thoughts on “Review WordPress login attempts

  • I just received a message that I’ve been blocked from my WordPress blog account due to a brute force attack. How long will I be blocked for, what do I/can I do, and how do I ensure this won’t happen again? Or have I lost my blog permanently…

  • Hi, I have a few blogs all in one domain under different sub domain. My site has been under a series of very consistent Brute Force attack this week which brought down the server time and again. I have allowed wp-login.php access only to my ip and deny all others. However, my question is, how do I know if I entered the right code in .htaccess file? And how do I know if I have successfully denied all other IPs accessed?

    A sample of what I enter into the .htaccess file:

    <filematch “^(xmlrpc|wp-login)\.php$>

    allow from ip1

    deny from all

    </filematch>

    It seemed that after making this entry, when I tried to access the file, I just get 404 not found error.

    • You will want to set up the allow/deny for IPs in this order to allow only one IP through.

      order deny,allow
      deny from all
      allow from <your ip>

  • As a newbie trying several times to login and failing (until I got spoke with tech support).  Then receiving a Brute Force prompt and reading the following day your post of “Reviewing WordPress Login Attempts”, I was wondering if it was my attempts or my VPN running in the background.  Or both. 

    • The server looks for any attempts to log in, so those could come from anywhere. Largely, if it happens a lot, it is due to outside sites trying to force their way in.

  • i try the following but it give me the following error in the email message :

     

    output : egrep: /home/webmec6/access-logs/mydomain.com: No such file or directory

     

    PLease advice !

  • When I send into my wordpress website I can’t see the dashboard. This is over 6 days and now and when I insist I get a 404 error page from Hostgator; how do I rectify it?

    • Hello Emily,

      Sorry to hear that you’re having problems with the login. If you are hosting with HostGator, then you will need to contact their support if you continue to have repeated login issues. If you are using our hosting service, please provide a URL for your site and we can investigate further.

      If you have any further questions or comments, please let us know.

      Kindest regards,
      Arnel C.

  • Is it possible to whitelist an ip or two so that they can get through when a block happens? The primary administrator shouldn’t get locked out during this period of time.

    • Hello Dan,
      The block happens at the mod_security level, so that is an all or nothing toggle. You can contact Live Support to have that rule disabled if you like, but you are basically whitelisting everyone.

      Kindest Regards,
      Scott M

    • The block happens at the mod_security level, so that is an all or nothing toggle. You can contact Live Support to have that rule disabled if you like, but you are basically whitelisting everyone.

  • I have just paid for a month subscription and cannot sign in.  It says that I’m blocked.  What do I do? 

    • Hello Felipe,

      Sorry for the database errors that you’re seeing. Can you please give us some details, as we’re not seeing anything on your website at this point. If you are still having the problem and require technical assistance, please provide more detail on the exact error message, and also how to duplicate the problem.

      Regards,
      Arnel C.

  • Hii,

    I am facing a problem to login in my WordPress admin panel … When I open my WordPress admin panel page it show me nothing, just a message

    LockeD By MED

    pass plz:

    Please help me to get rid out of this ..

    Thanks in advance

    Regards

    Lisa

    • Hello Lisa,

      Doing a Google search for LockeD By MED and WordPress, it seems like this could be an indication of your WordPress website being hacked.

      I was unable to find any account information for you in our system based off the email address you submitted this comment under. But I might recommend you take a look at my guide on how to reinstall WordPress after a hack to see about possibly getting this hack cleaned up from your site and allow yourself back into the WordPress admin section.

      You might wish to also contact your web host directly and let them know about these issues so that they can take a look on the server and in your WordPress database for any signs of malicious activity or a possible hack.

      – Jacob

  • Actually, as you can see in the logs there is ONE POST request. One intial GET request for wp-login.php The remaining are GET requests. In other words, GET requests from the referring page wp-login.php, as I already pointed out.

    Why is this a new comment btw… It was supposed to a reply to JacobIMH in the thread we started above.

    • Hello Jim,

      I just tested again and this time I also got our ModSecurity block on your WordPress site.

      I went ahead and disabled specfic ModSecurity rules dealing with our WordPress brute force protection, so that your site is still protected from other types of attacks.

      Being that our protection is disabled for your WordPress site, you’ll want to be sure that you follow the steps from our WordPress brute force guide to help protect your WordPress installation from attackers.

      Please let us know if you’re still having any issues at all.

      – Jacob

  • Yes. The logs only show 7 requests, first landing on wp-login.php and 4 for its respective css files and one for the log.  The seventh entry is the POST to wp-login.php.  Every first attempt results in the white page saying login has been delayed.  We are not being brute forced attacked, yet we are locked out because somewhere a rule thinks so.

    71.139.167.221 - - [06/Apr/2014:17:00:58 -0700] "GET /wp-login.php HTTP/1.1" 200 2960 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
    71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-includes/css/dashicons.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
    71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/css/wp-admin.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
    71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-includes/css/buttons.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
    71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/css/colors.min.css?ver=3.8.1 HTTP/1.1" 304 - "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
    71.139.167.221 - - [06/Apr/2014:17:00:59 -0700] "GET /wp-admin/images/wordpress-logo.svg?ver=20131107 HTTP/1.1" 304 - "http://spiv2.org/wp-admin/css/wp-admin.min.css?ver=3.8.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"
    71.139.167.221 - - [06/Apr/2014:17:01:48 -0700] "POST /wp-login.php HTTP/1.1" 503 813 "http://spiv2.org/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0"

     

    Thanks!

    Jim

  • Jim is referring to our VPS hosting account.

    I do prefer the domains be kept private, as it’s development site not for public consumption.

    Thanks,

    Stephen

    • Hello Jim and Steven,

      I’m not seeing any issues when I try to login to the WordPress site that you’ve mentioned privately.

      When you say that you are getting blocked out the first login attempt every time, are you getting redirected to an all white error page that has a link to our article about the WordPress brute force attacks, or something else?

      I do not see any mention of the Mod Security rule we use to block WordPress login attempts in your Apache error logs. So it looks like you might be having a completely separate issue.

      – Jacob

  • I think there’s something wrong with the rule to block. I just installed WP. I keep get blocked out on the first login attempt every time.

     

    Thanks

    • Hello Jim,

      The block rule should work as described. You may want to have us check your individual account to see that everything is implemented properly. You may want to reply with your domain name here. We can keep it from being public if you prefer.

      Kindest Regards,
      Scott M

  • I locked myself out of mysite trying to access wordpress. Do I have to wait for it to reset or is it someting I can change inside of inmotion.

    • Hello Rafaael,

      If you had too many incorrect WordPress login attempts then you would have triggered our WordPress brute force attack security rules. If this is the case, you could wait a full 15 minutes before attempting to login again, and then it should let you back in as normal.

      Please note that during that time, if you have other users also trying to login to WordPress this could extend the 15 minute temporary block. In which case you’d want to use one of the methods described in that guide for limiting access to the WordPress admin section such as setting up a secondary WordPress password.

      If you’re still having issues logging in after waiting a full 15 minutes before trying again, please let us know.

      – Jacob

Leave a Reply to Rafaael Cancel reply