Failed After 1 Day

Hi,

Could you give a bit more information please? What are you renaming wp-login.php to? login? If so, of course they’ll find it, many try login as it normally redirects to wp-login.php.

If not, I’m up for investigating it on one of your sites.

This plugin is installed on a website which had a few thousand attacks per month, and since then theres’s not been a single lock out from Limit Login Attempts.

Of course we did not rename it to *login* — that would be pretty dumb (even though that’s what you have the default set to, so many might mistakenly think that is what you suggest). How to you propose to investigate? And, thanks for the quick response!

Hi Janneke,

To further test this, we installed your plugin on a third site yesterday that has had a lot of LLA lockouts. Nothing so far, and the two sites we mentioned each had one lockout right after the URL change. It might be that these occurred pretty much simultaneous with the change, and so showed up later in the LLA logs. We’ll continue to monitor these sites this week and let you know if there are any more lockouts. Hopefully not, and that would be wonderful. BTW, we really would recommend that you change the default value in the URL switcher to something other than *login*.

Thanks again.

AME Network

Thanks for testing this. Do let me know!

The default is ‘login’ because that’s what most people want it to be. Usually people rename wp-login.php for aesthetic reasons, not because of attacks.

You’re welcome, and we’ll keep you posted.

Maybe you should include a simple instruction not to use ‘login’ if they want it to be more secure? Just a thought. Cheers!

Hi Janneke,

Well there’s good news and not so good. The good is that two of the sites we’re running your plugin on have not had further lockout activity. The not so good is that one of the sites has three new lockouts from the same source. How would you suggest we investigate this? Thanks.

AME Network

Ok, well thanks anyway. We’ll report here if there are additional issues in any case. Take care.

AME Network

I found and installed the plugin not for aesthetic reasons, but solely to try to prevent login attempts (which has been defeated – bummer – see my post “Failed After 13 Days”). Just a datapoint for your list of why people install your plugin. I’m slightly surprised that people would think that ../wp.login.php or ../wp-admin is so aesthetically unpleasant – because it’s just another URL, but all of us have different aesthetic sensibilities. Maybe that’s why you originally wrote the plugin? Best regards and thanks for the plugin.

I have no idea how to investigate this… If it’s a redirect from somewhere else, then you’d see it in your logs… If it’s directly accessed, I have no idea where the attacker could have found the URL.

It’s possible that a hidden, but publicly accessible, “page of URLs” I was using off my server could have been discovered. The updated login URL was on that “page of URLs”. A disturbing possibility, but I was stupidly relying on security by obscurity, so I deleted that page and that possibility. So far, after renaming the login URL again, it has not been discovered (or at least no login attempt has been made). Nothing proven yet, so we shall see.

Note that, if you leave xmlrpc enabled, attackers can still try to login through that. It’s up to the user to disable it or not since it might be used by other plugins and applications.

Right, and there used to be a checkbox for XMLRPC until the core team took it away. So now what is the best way to see if it’s on or off and to turn it off if it’s on? Searching for plugins to do it, and have found several. Recommendations?

Also found a line for wp-config.php that supposedly will do it, but that comes with caveats. Any insights on this situation?

What do you mean with caveats?

You can disable it as explained here: https://wpengineer.com/2484/xml-rpc-enabled-by-default-in-wordpress-3-5/