Suspicious login attempt

Defender randomly blocking IP due to suspicious login attempt. Want to know from where those are coming.

  • Adam Czajczyk
    • Support Gorilla

    Hello anubhav

    I hope you’re well today!

    I checked Defender’s “IP Lockouts” log on your site and it seems that there are indeed failed login attempts, mostly trying to login using four specific user names. You can see them – the list including IPs and those usernames – on the “Defender Pro -> IP Lockouts -> Logs” page.

    Those “Failed login attempt with….” events listed there mean exactly this: somebody or something opened the login page of the site and tried to login – unsuccessfully – using given usernames.

    This might be a person or a script (bot) and taking into account the IPs that are listed, I’d say it most likely is some bot network: most of these IPs are similar, if you use “Geo IP Tool” you’ll find that most of them come from US and Canada and there’s rather small chance that any “real person” would actually “move” so fast between these locations trying to login (and “by chance” used so similar IPs).

    So yes, I believe it is just some bots network trying to gain access. For whatever it sounds – it’s nothing unusual. This happens and happens a lot, especially taking into account that WP is one of the most popular web platforms so it’s also a popular target for such bots.

    Note also: a login attempt doesn’t mean that there was also a “registration attempt” or successful registration – it only means that someone or something tried to use given username along with some password and that didn’t work.

    Taking that all into account, I’d suggest two additional actions to increase security (as you can’t do much about “forcing” these bots not to try to access the site other than possibly blacklisting those IPs – if you are absolutely sure none of them is actually yours or of your site’s users):

    1) enable “Mask Login Area” feature at “Defender -> Advanced Tools -> Mask Login Area”

    By default any WordPress site has a login at domain.com/wp-login.php page and this is well known location. With “mask login area” tool you can move that login to some custom address (such as e.g. “domain.com/my-own-login”, “domain.com/7532e45” or anything else – the less “obvious” the better) while at the same time blocking access to default “wp-login.php”. This will make it much more difficult for bots to “guess” where is the login form and should not only lower the number of such login attempts but also increase security at the same time

    2) use Two Factor Authentication; you can enable it on “Defender Pro -> Advanced Tools -> Two-Factor Auth” page

    It will add an additional auth layer in addition to login and password so even in case somebody (or something – like bot) would be able to successfully go past login and password, there’d still be a need to provide a special auth code (from Google Authenticator app); this adds a lot of security and is recommended.

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.