Hidden backend, still hackers login attempts ?!

  • Resolved wp_mattoo

    (@mattoo64)


    8 years ago

    Dear all,

    One of my sites using iTheme Security is tried by hackers several time each days since months, so I have decided to “hide the backend”, meaning that the login URL is not supposed to be standard anymore.

    Still, I keep receiving alerts from user lockout due to too many “bad logins”.

    I must confess I’m quite puzzled by this situation… Could please someone explain to me how can these hackers continue trying to log (using a bot, of that we’re all ok) if the backend is hidden ?

    How can I prevent them to continue daily try to login (I’m only getting alerts such as “user lockout” so I don’t have IP’s to ban…).

    Many thanks for your HIGHLY APPRECIATED clarifications ??

    Matt

Viewing 7 replies - 1 through 7 (of 7 total)
  • pronl

    (@pronl)

    @mattoo64

    The plugin Logs page should help you get answers.
    Perhaps post a screenshot of the Logs page which makes it easier for the community to say something about your specific situation.

    Thread Starter wp_mattoo

    (@mattoo64)

    Thanks for your answer !

    I’ve been looking to the logs, all it says is the user name that has been tried, and at what time it was, as you can seen below. Additionally I have the IP list (that I didn’t get in the email) but it’s never the same, so there’s no efficient way to ban :

    2017-02-26 07:44:02 92.53.55.142 stephanie
    2017-02-26 05:29:14 187.199.79.106 stephanie
    2017-02-26 03:25:09 98.143.69.104 stephanie
    2017-02-26 01:04:50 88.253.180.222 stephanie
    2017-02-25 20:21:42 79.180.240.53 stephanie

    The strange thing is I changed the default login page (using the hide backend feature) so the login URL is not anymore one of theses :

    https://www.example.com/admin/
    https://www.example.com/wp-admin/
    https://www.example.com/login/
    https://www.example.com/wp-login.php

    Therefore, how can the hackers still try to log ?

    Thanks for the details, I really need help at this subject…

    Matt

    pronl

    (@pronl)

    @mattoo64

    There is much more info in the plugin Logs page than the filtered info you are providing.
    It would be so much easier being able to actually look at your Logs page.
    Any chance of posting a screenshot ?

    If you don’t feel comfortable posting a screenshot on the forum visit my profile page and find out where to send it.

    I’m trying to make this a learning experience. So next time you’ll know what to look for.

    Thread Starter wp_mattoo

    (@mattoo64)

    wow… thanks a lot it’s really kind of you, I do appreciate !!

    I’ll send you an email right away with a screenshot pack.

    thanks !!

    pronl

    (@pronl)

    @mattoo64

    Received your email. One question though, are you using the latest iTSec plugin release (6.1.1) ?

    Thread Starter wp_mattoo

    (@mattoo64)

    after checking, yes, I can confirm being using 6.1.1

    FYI the attacks continue ??

    2017-02-26 19:41:20 178.80.234.45 stephanie
    2017-02-26 17:26:15 2a02:587:5c0a:c500:79f1:1d7b:9bb7:aa5e stephanie
    2017-02-26 15:19:35 188.142.192.46 stephanie

    Many thanks for your kind support !!

    Thread Starter wp_mattoo

    (@mattoo64)

    Dear All,

    Thanks to Pronl I have good reason to think my troubles are away for a while ??

    Basically, here is what I learned – for those it may help :

    To protect your website against unfriendly login attempts with efficiency, you need to protect from 3 possible attack sources :

    1. wp-login.php
    2. xmlrpc.php
    3. REST API

    The first one is protected by hiding the backend
    The second by changing to the recommended option in “WordPress Modification” options set
    The third by ticking the corresponding box in the “system tweaks” options set

    All in the iThemes Security options section, of course.

    Last thing : check the “details” link in the row corresponding to an attack in your iTsec logs section to know wich of the 3 above method was used to attack your site (so that you know if you forgot to protect one of them).

    A big thanks again to Pronl for his kind and very effective support !

    Matt

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Hidden backend, still hackers login attempts ?!’ is closed to new replies.