Stopped recording IP in database?

LSS failure tracking gets stored the wp_login_security_solution_fail table.

Sorry, I’m afraid my original post wasn’t clear. I can see attempts in the latest visitor logs from my hosting service, but I don’t see them recorded in wp_login_security_solution_fail. There’s a gap in the records. Some attempts did get recorded later in the day, but it’s odd that some were skipped. The only thing I can think of is that whoever found the log in page, didn’t try to log in which is weird, but it’s the only thing that makes sense.

On the bright side, it looks like there hasn’t been an attempt since yesterday afternoon (around 3pm EDT), so maybe they’re taking the hint!

In your web server access logs, were the requests HTTP POST or GET? If it’s GET, then it’s just the page being loaded. If it’s POST, then it’s probably an auth request.

Not clear from the log. This is what I’m seeing. This IP wasn’t recorded in wp_login_security_solution_fail.

Host: 41.220.166.15
/wp-login.php
Http Code: 200 Date: Jun 14 02:57:59 Http Version: HTTP/1.0 Size in Bytes: 3117
Referer: –
Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0

You’re looking at some user interface. You’ll need to SSH into the server and look at the raw logs.

Yes, I’m looking at it through CPanel.

Anyway, I’m really confused now. I got a bunch of email alerts about being under attack, but when I lookup the IPs in wp_login_security_solution_fail I only see a few hits for the IPs reported in the emails.

Example, I got this email

Component                    Count     Value from Current Attempt
------------------------     -----     ---------------------------
Network IP                       1     188.135.15
Username                        50     admin

If I run the following SQL statement:
SELECT * FROMwp_login_security_solution_failwhereiplike '188.135.15%'

I get this result:

fail_id   ip            user_login    date_failed
2908      188.135.15.64 admin         2013-06-16 06:19:43
3161      188.135.15.64 administrator 2013-06-16 06:31:01

Examine the “Count” column in the email. It shows there was only one hit for the Network IP but 50 for the Username.

Please note, the email shows the data for the attempt that takes you over the reporting threshold. To show the exact data set in question you’d need to use all three data points in the query’s WHERE clause: Network IP, Username and Password MD5. Putting only one or two items in the WHERE clause will produce different results.

Thanks for the clarification, explanation and patience. Much clearer now. It seems to me the attempts have slowed since I installed this and that makes me very happy.