failed logins with differents users

  • Hi
    I’m testing your plugin on different websites to try to understand how (and why) on the log results I see a lot of failed logins with the different users

    For all these websites, the wp-admin folder is protected by htaccess/htpasswd

    How is possble the different users names can be seen the log results with these failed logins if htaccess suppose to protect ?

    I spent a lot of time online to read websites and forums to read

    i added in the root htaccess these lines :

    <Files "xmlrpc.php">
  Require all denied
</Files>

<files wp-config.php>
	order allow,deny
	deny from all
</files>

    But nothing changes, still failed logins
    In another answser you wrote, I see you propose to install Limit login attempts

    I dont understand why the htaccess/htpasswd I placed in the wp-admin folder dont block these failed logins

    Thanks for your answer and help

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support robertabela

    (@robert681)

    Thank you for trying our plugin tiptop13.

    the .htaccess you posted in this thread only denies access to the wp-config.php and the xmlrpc.php files. It is not in anyway restricting access to your log in page.

    By the way, it is normal to see a number of failed login attempts when you have a WordPress website. If you want to harden the security around the login page you can do the following:

    1. Limit login attempts
    2. Add 2FA with the WP 2FA
    3. Add a CAPTCHA check on your WordPress login page

    By the way, if you always access the page from the same IP address you can restrict access to the login page via IP address. Refer to this htaccess file guide for WordPress to see how you can do this.

    Does the above help? Please let us know if you need additional information or if this does the job for you.

    Looking forward to hearing from you.

    Thread Starter tiptop13

    (@tiptop13)

    Thanks for your answer
    Unfortunately it doesn’t help, you wrote already the same answer to other answers.
    I wrote I placed a htaccess/htpsswd security in the wp-admin folder, but I still have failed logins

    I have also installed the plugin “Limit Login Attempts Reloaded”
    It doesn’t help, I just see the number of failed logins…, nothing is blocked.

    Why to add a captcha if nobody can access to the wp-admin folder with the htaccess/htpsswd

    I can’t block by IP because several editors access to the admin from different places.

    I still don’t understand why I see failed logins with wp-admin folder protected

    Thanks for your help

    • This reply was modified 8 months, 2 weeks ago by tiptop13.
    • This reply was modified 8 months, 2 weeks ago by tiptop13.
    Plugin Support robertabela

    (@robert681)

    Thank you for the update, however, I am not sure I am understanding your setup.

    You said “I placed a htaccess/htpsswd security in the wp-admin folder, but I still have failed logins” – which htaccess are you referring to? If it is the one you posted in the first post, this does not restrict access to the wp-admin folder.

    When someone tries to access the wp-admin folder, do they have to authenticate via HTTP, i.e. do they have to enter a set of credentials before they actually see the WordPress login page?

    Thanks.

    Thread Starter tiptop13

    (@tiptop13)

    I have 2 files htacess:

    1 in the root folder where I included the code to protect wp-login.php and xmlrpc.php

    Another in wp-admin folder. So to access the wp-login.php, I must authenticate with credentials

    it’s why I don’t understand these failed logins

    Plugin Support robertabela

    (@robert681)

    Off hand it is very difficult to tell where these failed logins are coming from without having an understranding of your website setup. Here are some tips how you can troubleshoot this:

    1. Check the web server access logs and see if you can corrolate an HTTP request to a failed login, so you can see which page or what HTTP request is being sent
    2. Check all the plugins and their settings – are there any plugins that could have their own custom login page?
    3. Crawl the website with software like Screaming Frog to get a complete picture of all the pages on your website.

    I hope the above helps. Please keep us posted about the findings.

    Thread Starter tiptop13

    (@tiptop13)

    Thanks for your answer

    1. corrolate an HTTP request to a failed login : I will check if I can find
    2. I don’t see this
    3. xml sitemap from wordpress or yoast is not the same to get all pages ?

    If I understand, behind the protected wp-admin with credentials, a page try to connect to each user ?

    Plugin Support robertabela

    (@robert681)

    Hello tiptop13, some pages can be excluded from the sitemap, so while it is good practise to check it, I wouldn’t rely solely on it.

    I am sorry, but I did not understand your last question. Can you please rephrase? Thanks.

    Thread Starter tiptop13

    (@tiptop13)

    I mean I will check in the code of each plugin if I see a form can connect directly even with the protected htaccess/htpasswd I have inside wp-admin

    Plugin Support robertabela

    (@robert681)

    Hello tiptop13, some plugins like WooCommerce create a front-end login page, which means users can access this page and log in without requiring access to the wp-admin. For example it can be available at a URL such as website.com/user-login/.

    I hope this helps. Should you need any more information please do not hesitate to ask.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘failed logins with differents users’ is closed to new replies.