Dictionary attack

The user is blocked, which means that the plugin detects the attempted to and denies them. The plugin does not deny the user all access to the site. As long as they aren’t doing anything suspicious the plugin ignores them.

Add the ip to the plugin’s black list and then clear the cache from the history settings page.

Make sure that you don’t have an Admin password.

Lately I have been using Better WP Security plugin on my sites in addition to my plugin. This lets you change the admin user id and does other interesting things that “harden” WordPress.

Keith

I changed all my WP sites’ admin usernames after a couple of hacks a few years ago, so I’m okay.

It was just a bit worrying to see the robot try over and over again. I sort of assumed that it would give up, so I wondered if it was actually been forbidden at all, or was unaware it was being blocked. Are you saying that it will be allowed to try as many times as it likes, but just be given bad login replies? What if it accidentally got the right login, what then?

The first thing I did was add the dodgy IP to the SSR blacklist, but this didn’t seem to have any effect. Do I have to clear the cache too? Will that change behaviour?

If the ip is in the “good cache” he will be allowed to try again.

If he is in the bad cache or the black list then he will be blocked and you should see an indication that he was denied in the log.

If the ip has failed once, either because of his behavior or he is in the SFS database then he is put in the “bad cache” and denied until the cache is cleared.

If the ip is in the black list he will be denied and added to the bad cache.

You should see the bad guys being denied in the log.

You can modify your .htaccess file if you want them banned from the site completely.

It seems the robot software that hits our sites is very dumb and does nothing about the access denied message that I return.

Keith

There were about 500 lines like this:

2013/06/29 16:58:42 — 109.234.152.116 admin/hotdog /wp-login.php Cached bad ip

So, it was listed as a ‘Cached bad IP’.

When I added the IP to the blacklist, it just carried on as before. The ‘reason’ stayed ‘Cached bad IP’. It doesn’t actually say ‘denied’, but this is what I assume, because it doesn’t say ‘passed’.

So what does the robot see?

The robot gets a 403 error – Forbidden. The text is the text from the settings page.

Unless it says “passed” then it was denied. It checks the cache before it checks the black list so you just see the cached bad ip message.

I get thousands of these every day. A good chunk of my site stats according to awstats are hits on login.php, signup.php and wp-comments-post.php. This is true on all of my sites (I have about 30).

for example, cthreepo.com has had 76,000 page views so far in June. 14,000 were hits on logins and comments. Only about 5,000 page hits were real people according to histats.com, the rest are robots like bing and google, and 8,000 feed hits which I tolerate, but I doubt are real people. Almost three times as many spammers hit my pages as real people.

Keith

Thanks, Keith. That helps a lot. I’m surprised that these robots keep trying, even if they get a 403.

Keith (another one)