DoS with this plugin?

We have the same problem. Login notification plugin installed along with this one.

On 10+ sites we continually receive 100+ e-mails of failed login attempts from the same IP address, same username attempted. The plugin does not seem to be doing its job at locking out IP addresses after 4 (or however many) tries.

If you found a solution, wilcochris, I would love to hear!

Hi,

No solution, no word from the developer.

My advice would be to ditch this and find something far superior. Even if I do get word from the dev I will never go back. Far too long a delay in responding.

Hope you can find something better than this heap of junk.

It’s not a problem with the plugin, it’s an historical problem with WordPress.

Until version 3.0, when installing a new site WordPress made ‘admin’ a compulsory first user, complete with administration powers.

Then until 3.7, it strongly suggested that username for the first user.

I think it still defaults to it if you don’t supply a username.

The result is that there are millions and millions of WordPress-based sites out there with an administration account called ‘admin’, so the vast majority of automated attempts to login use that user name.

This is what you’re seeing… It clearly works often enough that it’s not worth them trying to work out what usernames are in use.

FWIW Wilco – we actually were able to figure out why/how this is happening.

Stumbled across the answer accidentally while trying to connect to one of my websites using the WordPress iPhone App. This plugin does not work for that type of remote connection – so the same IP address trying multiple times is not subject to the “Limit Login Attempts” IP Block.

I’m not sure how to solve this issue – but there seems to be a bug in the plugin specifically related to remote posting. My guess is that these robots trying to brute force attack your site are using a similar script/application that is also bypassing the plugin’s IP address blocking feature.

Alternatively, you can use the plugin Login LockDown
=(

The problem is that this plugin does not protect from brute force attacks coming from a bot-network with thousands of unique IP’s. It doesn’t matter if they all get blocked. There are so many that they potentially still can perform a successful attack.

This would of course explain the continues emails wilcochris and Jessi are getting.

Thanks for the information, Jessi! I’m wondering if I’m seeing something similar.

About two weeks ago, all of my sites started getting massive brute force login attempts. I had my limit login attempts threshold set at 4, but I was getting as many as 12 on some attempts. The botnets actually took down one of my site via DDoS.

Now, I have .htaccess for wp-admin and for the parent directory wp-login.php set to whitelist my IP. Initially, that cut off the massive brute-force onslaught, but after a few days, I started getting more notifications that my limit login threshold had been exceeded — which I would not have thought possible (they were *not* coming from my whitelisted IP).

At this point, it’s not fatal. My “admin” has no access to the site, has a very large randomly-generated password, and uses Google authentication plus stealth login. I’m getting 2 or 3 of these a day, so it appears that the layers above limit login attempts are repelling most of the botnet attacks. Not likely that anybody is going to guess that password plus the Google authentication plus the extra authentication — but there are many things about this stuff I don’t understand, and the fact that somebody is crashing my .htaccess worries me.

chltx. the problem is when you have no an fixed ip.

The ideal is that the plugin detect geoip and show the country and the option of refuse country. I have a lot of force attacks, and I candetect firstly India and Pakistan. The problem is go one by one ip refusing it.