Question about IP blocking

  • Resolved bob73

    (@bob73)


    6 years, 9 months ago

    Hello

    Congratulations again for your very valuable plugin.
    Nevertheless I notice some login attempts, which do not make me very confident about it.
    On my web site I have activated the following options in the settings of WP Cerber :
    – Load security engine : standard mode
    – Non existent users
    – Redirect dashboard requests
    – Request wp-login.php
    – a custom login page has been set
    – Disable wp-login.php

    Additionally, only my computer’s static IP (used for the administration access) is white-listed in the white IP access list menu.

    Even with all those security settings actived, I can still see log entries in the activity log, saying : Attempt to login with non-existent username (URL : <my URL>/xmlrpc.php , then in the next log “IP Blocked” (intruder’s IP : 5.188.62.11)
    The blocked IP log entry is fine.
    But the login attempts are being repeated each few hours. If the intruder waits for just 2-3 hours, his request is still blocked, but if he waits for several hours, then his gets access for his new login attempt, which leads to a new blocking because of the wrong user name. But in-between he managed to find out the first 12 characters (!!!) of my user name, but fortunately not the rest, as my user name is long.

    Questions :
    – shouldn’t the intruder’s IP be blocked for ever with the high security settings mentioned above ??? (white list, custom URL etc …)
    – why does the plugin allow a login attempt at all from an IP outside the white-list ?
    – any tip how to avoid the intruder getting to so many username characters in just a few login attempts ?

    Obviously this one somehow found out the first 12 characters of my username, appended those to the beginning of the username, which is the WP default behavior in proposals of new, longer, user names. Only the characters at the end of the intruder’s used username ( “_ex64ll7s” ) are wrong, but he is already on a “good way” in approaching the effectively used username, which is very bad.

    Thanks in advance for your support.
    Bob

    • This topic was modified 6 years, 9 months ago by bob73.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter bob73

    (@bob73)

    After disabling XML-RPC in the hardening menu, this access has been blocked. This solution would be fine for me at the moment, as my web site does not need XML-RPC.

    May I address an issue related to the custom login URL ?
    I have set a custom URL and activated the option “Disable wp-login.php”.
    Beside this, only one static IP address is white-listed in the access list.

    Now, if there is a login attempt to the custom URL from any other IP address than the one defined in the white-list, the request still lands on the WP login page, and the remote user meanwhile gets the warning that he has reached the login attempts limit, so he is locked out for the next XX minutes, let’s say 60 minutes (if configured so).
    Wouldn’t it be more logical and secure that this user (mostly intruder) gets a 404 or 403 response instead of disclosing that:
    – he actually managed to find out the right custom URL
    – WordPress is being used on this server (because of the WP login form)
    – he is locked out for “only” 60 minutes, so he can go on hacking afterwards (and the option aggressive lockout duration may sometimes not help, if the hacker waits enough until the next access attempt)

    Another way of asking this question is : wouldn’t it be more logical to consider the white-list more like a pure access authorization instead of IPs that will never be locked out ? Or give the custom URL option some kind of higher priority in order to avoid the described issue. I would expect that a request from any other IP than the one white-listed is automatically rejected or ignored.

    Thanks a lot.
    Best regards.

    Plugin Author gioni

    (@gioni)

    Hi!

    You’ve set up the plugin correctly. No worries.

    The plugin doesn’t block “intruders” for ever by design because it may be just an infected mobile device and its IP is assigned dynamically. To deny all IPs in the world except your, add a *.*.*.* wildcard to the black access access list. Regarding the access list logic, please read this carefully: https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/

    The main purpose of using the custom login URL feature is to reduce attack surface. It’s not a pure security feature. Disabling standard wp-login.php and using custom login URL enables to effectively mitigate automated bot attacks. When a smart hacker find out a custom login URL, it have a deal with the rest of the security mechanisms and features in the plugin and the first one is limiting login attempts.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Question about IP blocking’ is closed to new replies.