People can still find my custom login page… (part 2)

  • Resolved valkala

    (@valkala)


    7 years, 8 months ago

    Hi. I posted a question a little while ago, which seemed like it was resolved, but I’m still getting attacked from IPs belonging to Russian ISPs, constantly.

    Even though I’ve added a Custom login URL, disabled wp-login.php and XML-RPC, how are they’re still able to find the login and attempt to hack our site?

    I wish there was a way to just black list all of Russia.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author gioni

    (@gioni)

    Hi valkala!

    Make sure that your Custom login URL is not shown on public pages of the website. It might be some menu, some sidebar or some widget. Inspect the source code of a page with the text search Ctrl + F. I think your Custom login URL is publicly available somewhere.

    Country blocking will be implemented soon. Stay tuned!

    I have the same problem. I’ve used WPC before and as soon as I set it to maximum security and change the URL all warnings stop, but not with the site I installed it to now.

    It’s extremely simple page too. Just a logo and some text.

    • This reply was modified 7 years, 8 months ago by Max Beta.

    I updated to 4.9 and the hits are still coming.

    Any suggestions?

    Plugin Author gioni

    (@gioni)

    Inspect the Event column on the Actvity tab – are they using your Custom login URL?

    No warning about them using my custom login, but there are some “between the lines” logic involved here.

    I use all available blocks to wp-login.php:
    * Immediately block IP when attempting to login with a non-existent username
    * Disable automatic redirecting to the login page when /wp-admin/ is requested by
    * Immediately block IP after any request to wp-login.php

    In the past hour I have:
    Attempt to log in with prohibited username: admin
    Attempt to log in with non-existent username: (they tried the domain name)

    So how can they try to login with a bad username if it’s supposed to be impossible to even reach the login pages?

    That’s why I assumed they knew the custom login page, or else all warnings would be “Attempt to access prohibited URL”.

    • This reply was modified 7 years, 7 months ago by Max Beta.
    Plugin Author gioni

    (@gioni)

    First of all check URLs in the Event column on the Activity tab. Since v 4.9 the plugin logs requested URLs.

    Sorry, missed that.

    *** = my domain

    Attempt to log in with prohibited username
    URL: ***.se/xmlrpc.php

    I never used that setting in Hardening on any other site so it’s my default setup. I had to google what this is. Luckily this site is not in need of any pingbacks so I’ll activate that now.

    Plugin Author gioni

    (@gioni)

    Yes, that’s easy. Just check Disable XML-RPC on the Hardening tab.

    Note: if you use the Jetpack plugin, you cannot disable XML-RPC because that plugin utilizes this technology.

    Now I only have warnings for trying to use wp-login.php.

    I still get the emails though. In this scenario I would like a filter to only get warnings of a higher standard.

    Are there any plans for a more sofisticated email filter? “Only Send me email for these warnings” type of thing.

    Plugin Author gioni

    (@gioni)

    1. Set Notifications threshold to a higher value (in the Limit login attempts settings section).
    2. Subscribe to a specific activity you want to monitor: https://wpcerber.com/wordpress-notifications-made-easy/

    Sorry again… I’ve clicked around so much in all tabs i Cerber so I assumed it wasn’t included. Must have missed it.

    I’ll have a look. Thanks for your help!

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘People can still find my custom login page… (part 2)’ is closed to new replies.