100s of BruteForce attacks with Login whitelist + custom login page

Hi, have you thought of enabling the following feature Completely Block Access To XMLRPC?

Yes, but will this feature not disable auto-posting to FB/Twitter (Jetpack) features?

Also: the recent wave of bruteforce attacks started 3 days ago, same for some other users that have posted here. Is this not an indication something might be broken?

Or is the login whitelist feature, that should allow only the IP I entered, to be able to access the login page, not working without Completely Block Access To XMLRPC feature?

Because if so: why is this option even existing?

I am not trying to be a smart@$$, just not understanding why suddenly the whitelist feature does not work anymore (100s of IP addresses can suddenly access my login page).

If Completely Block Access To XMLRPC feature does not break Jetpack auto-post features I will enable it immediately.

Thanks for your help!

Hi, if you use Jetpack and or other apps to log into your site via a mobile device then I suggest that you enable this feature Disable Pingback Functionality From XMLRPC:. Do not enable the one I mentioned above.

In regards to your question about Login Whitelist. Login Whitelist works very well and it does a great job in protecting your site from Brute Force attacks. However this feature does not block access to xmlrpc.php file.

Let me know if you need more information.

Kind regards

Thanks for your reply.
Disable Pingback Functionality From XMLRPC is already active.

The brute force attacks continue, and the whitelist feature might work, and it did for a while, but since this past week clearly the people running the bruteforce farms have found a way to bypass it.

I will take other measures and thank you again for your help.

Hi @fritsje,
The login whitelist feature will protect against people with unauthorised IP addresses from accessing your WordPress login page. It will not stop bots from trying to blast your xmlrpc.php file.

clearly the people running the bruteforce farms have found a way to bypass it

Have you confirmed whether the Apache directives for the login whitelist feature are working correctly on your server? ie, one simple test is to try accessing your login page from an IP address which is not “whitelisted”.

Disable Pingback Functionality From XMLRPC is already active

Since you said that this feature is active, can you please check what you see when you go to the following page on your site:
yoursite.com/xmlrpc.php

Have you confirmed whether the Apache directives for the login whitelist feature are working correctly on your server? ie, one simple test is to try accessing your login page from an IP address which is not “whitelisted”.

Yes I checked and indeed: I can access the custom login page from a non-whitelisted IP. This was not the case 3 days ago.

Since you said that this feature is active, can you please check what you see when you go to the following page on your site:
yoursite.com/xmlrpc.php

XML-RPC server accepts POST requests only.

Hi @fritsje,
Ok that’s the answer to your issue because your tests are showing that currently the Apache rules for the white-list and xmlrprc blocking (pingback protection) features don’t work – but my understanding is that they once worked.

How are they able to find my login page while it is custom? How are they able to bypass the IP-whitelist setting?

It could be that nobody bypassed that functionality but instead it may be that something on your server changed and broke that functionality.

Therefore I think that the cause of your issue has something to do the with the .htaccess file and the directives inside it (and maybe your server’s Apache configuration).
I suspect that something has changed either inside of that file which has broken the functionality, OR, perhaps something on your server which is Apache related has been changed.

Have you examined the contents of your .htaccess file and confirmed that the code for the whitelist and pingback protection features is there?

If so, have you asked your host support crew why that code in the .htaccess file suddenly stopped working?

Whitelist functionality in my .htaccess file (I changed the IP addresses):

#AIOWPS_LOGIN_WHITELIST_START
<FilesMatch “^(wp-login\.php)”>
Order Allow,Deny
Allow from https://www.mysite.com
Allow from 999.999.999.999
Allow from 66.66.666.66
</FilesMatch>
#AIOWPS_LOGIN_WHITELIST_END

Strangely: only the 66-address is the one I entered and is showing in my dashboard AIO security plugin as being whitelisted, I guess the 999-address is my host?

What should the pingback rules look like? (So I can search for them, the word ‘pingback’ does not exist in the file).

What should the pingback rules look like? (So I can search for them, the word ‘pingback’ does not exist in the file)

Did you enable the following checkbox?

Completely Block Access To XMLRPC

If so, you should see code such as the following:

#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END

My settings are:

Completely Block Access To XMLRPC: DISABLED
Disable Pingback Functionality From XMLRPC: ENABLED

There are not “PINGBACK”-rules in my htaccess file. The word ‘PINGBACK’ does not appear anywhere.