dzyanis

After the investigation of the issue, the plugin maker informed me that the plugin has an API “to allow adding of subscribers programmatically”. This API has a bug that allows bot attacks that might be exploiting this API endpoint. As a result, bots add emails of different users who are not subscribed to your blog newsletters. If your blog will send emails to these users, they most likely will report spam from the domain of your blog. Finally, the reputation of your domain will go down and email providers will put your domain on the blacklist.
There is no possibility to switch off the API so this plugin is very dangerous.

Ok, I figured it out. I have “xmlrpc.php” disabled and physically deleted it from the root. Issue fixed, for two weeks there were no new login attempts. The problem was not in your plugin. Thank you for your help.

@khanm You can try to use the paid version since it contains a captcha. I am still getting ghost users in the free version and the only way to proceed is either to find another plugin or use the paid version of this plugin (but this is also not 100% guaranteed to avoid bots).

Hello. Answering your questions:

1. Here is the list of my workflows:
Send welcome email when someone subscribes [status: active]
Send confirmation email [status: active]
Notify admin when someone subscribes [status: active]
Notify admin when campaign is sent [status: active]
User deleted [status: Not active]
User updated [status: Not active]

I believe these workflows are from installation time and there no new was added.

2. For example, yesterday I got two new subscribers, this is how they look like:
Cesar Fadel [[email protected]]
Mrs. Tara Fritsch [[email protected]]

And these are fake emails because users’ names are different from the names in email before @. Also, I know that because I have a very specialized professional technical blog in mechanical engineering, no any random people want to subscribe on my technical posts. And of course, these two emails wasn’t confirmed and will not. It is 100% bots.

If be honest with you, now I’m pretty sure this is action from your plugin, from you, to push people to buy your plugin, because your PRO versions have additional security, like a captcha.

• This reply was modified 2 years, 3 months ago by Steven Stern (sterndata).
• This reply was modified 2 years, 3 months ago by Steven Stern (sterndata).

Ok, I figured it out. The “xmlrpc.php” wasn’t disabled. So I made it manually in .htaccess:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

I would recommend adding this feature to your plugin.

Also, I have installed your plugin “WPS Limit Login Attempts” and deleted “Limit Login Attempts Reloaded”.

(Actually, I have another plugin installed on the blog: “Sucuri WP Plugin” and it shows in its log a lot of failed attempts as well.)

I will let you know if it helps.

How I can check it? where is “xmlrpc” file located? Have I delete this file?

I can not deactivate all my other plugins and leave my blog for a couple of days just for debugging of your plugin: the design and work of the blog will be destructed/changed.

I’m not sure what you mean under “xmlrpc”… is it a plugin? If so, I do not have installed the plugin “xmlrpc”.

to get the numbers of failed login attempts, I have activated the “Limit Login Attempts Reloaded” plugin, so it works together with your “WPS Hide Login” plugin. The host company is GoDaddy.

Hello, yes, I’m sure. If you want – please contact me in private and I will send you screenshots, blog URLs and all that you need for debugging. But something definitely works wrong.

Exactly! I have the same concern. There is no difference in failed login attempts between with hidden login (login by new, unknown path) and without it. Therefore, it looks like the numbers of prevented failed attempts provided by “Limit Login Attempts” plugin are just fake! Actually, I have sent this question to the sales team of “Limit Login Attempts” plugin, but they ignored me. So, do not rush to install this plugin: in the best case, it doesn’t do anything for your website, but in the worst case it is an email collector for spam providers.

fixed. it was an issue in 2.0.7 version of reseller store. just updated to 2.0.10.

Hi!
I have the same issue. The widget “Sign In” doesn’t work properly: instead just “Sing in” it shows “Sign In Welcome Back Log Out”. And after user logout user’s name still seen.
I know exactly, the problem is not in a template – I tried to use a lot of them.
Where to dig?
Thanks!