HELP!! Site getting hammered, same IP address

All password tried are VERY long and seem totally random.

The “passwords” sent in the emails and stored in the database are _hashes_ of the password, not the passwords themselves. This is for security reasons.

they eventually got a hold of the CORRECT username is quite obscure.

There are several ways. Many themes have links in the post to view content by that user. Or folks can probe various ID numbers this way: example.com/?author=1.

Also, using .htaccess in my wp-admin folder, I am blocking access to any IP address but three. HOW IS IT POSSIBLE that they can even attempt a login?

wp-login.php is in the root directory of the wp install, not the wp-admin dir.

Finally, why is it that LSS is not blocking like it should by creating long delays.?

This is covered in this plugin’s FAQ.

Thanks so much. I will look into the FAQ. I will also look into IP blocking wp-login.php. I see that is possible.

Seems to me kind of silly to rename admin account if it is so easy to find what the new account is. Then again, if I make it a REALLY bizarre name and not MyAdminAcct then maybe it will be even more difficult to break in.

Thanks again and I will chime back in if I have a question.

I do have a few questions.

Is there a way to see the passwords attempted?

My attack went on for HOURS. The longest delay in LSS is 60 seconds (tier 3). Is there a way to make it like 5 minutes when it is an obvious attack??

I was getting up to 5 emails a minute with each email sent after 5 failed attempts. If the delay is tier 3, 25-60 seconds after 10 attempts, shouldn’t the login attempts have been limited to just two a minute max after ten failed attempts if those were inside 120 minutes?

Are there any known issues with IP blocking wp-login file?

Thanks again.

Is there a way to see the passwords attempted?

No. Storing clear text passwords is a bad, bad idea.

shouldn’t the login attempts have been limited to just two a minute max after ten failed attempts

As mentioned in the FAQ, the attacker is using multiple threads to make the attempts. The slowdown makes each thread go slower.

Are there any known issues with IP blocking wp-login file?

Should be okay.

DOH! Yes . .. multiple threads .. forgot .. Read that elsewhere also. Thanks ..

Dan,

Have you considered adding a theme option to block non-administrative users from viewing any information that might relay details about user information? A lot of WordPress sites have no need of this functionality. example: block the following:

example.com/?author=1

which shows the Archives page.

– Jim

Nevermind on the post above. Totally moot. After I looked into the issue, I’ve got a way better appreciation for what’s going on.

Content deleted.