constant hacking attempts directly on plugin

  • Resolved Leif Harmsen

    (@leifharmsen)


    4 years, 7 months ago

    I added “error_log($query_string,0)” near line 180 in db.php, immediately before the line “$rows = $db_data[“db_instance”]->get_results($query_string, ARRAY_A);” That’s how I collect my log.

    There are already constant login attempts (about 6 per minute) on my new WordPress site from rotating IP addresses based in Romania or wherever, but not through the usual WordPress wp-login.php form. The attempts all appear to be targeting the input of the “External Login” plugin directly. I know this because when I login using the normal WordPress login my log shows it as the referrer, for example “… , referer: https://mydommain.ca/wp-login.php …” but these hacker attempts have no referrer at all. I even added a captcha on the wp-login form and sure enough, no difference, because these brute force attempts bypass the login form, captcha and all.

    My passwords are really strong and the hackers are not even trying with usernames that could possibly work so I’m not worried, but all the same it might be good to add something to demand that there’s a referrer and that the referrer is (a login form) on the same machine as the plugin.

    I found this out because I was trying to create my own custom replacement $exclude_query_string_component. For some reason my captured query string works as expected if I copy and paste it to run on my remote database using Phpmyadmin, but in the plugin my custom WHERE clause doesn’t exclude users as expected yet – so I’m just trying to figure out why that might be. Maybe quotes or types or some other semantic mishap. I can log in with my email address fine but not my username which is an integer – so that might be a type mismatch problem. I kind of don’t want to discuss too much about my authentication set up in public! Time for a swim and a beer.

    I have to admit I’m kind of obsessed with this plugin – it promises to make WordPress a lot more useful for bigger bespoke web-app systems like the ones I create, and potentially more secure too.

    • This topic was modified 4 years, 7 months ago by Leif Harmsen.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter Leif Harmsen

    (@leifharmsen)

    Because my login forms on my server always appear as the referrer, I was able to stop these particular automated brute force attempts to login by simply adding this to db.php:

    // Added by Leif to stop the annoying drip of automated hacking attempts.
    if ($_SERVER[‘HTTP_REFERER’] == ”) exit();

    This isn’t a security feature because referrer is easy to spoof (in fact sending any referrer would get around this), but this just kills off the ongoing annoying unambitious automated attempts – or at least this particular one that was using my resources, jamming up my log file and getting underfoot when trying to debug things.

    Once could probably devise a secure system to ensure that login attempts came from your own login form(s) using a session variable, if it were thought to be necessary.

    Thread Starter Leif Harmsen

    (@leifharmsen)

    Just marking this resolved. It was more an FYI than a support topic anyway.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘constant hacking attempts directly on plugin’ is closed to new replies.