20 Comments


  1. Limit Login Attempts continues to be an awesome Plugin.

    I’ve noticed an uptick in brute-force attempts in the past couple months, too. I’m thinking about lengthening the lockout period, but otherwise I’m not worried.

    As I’ve said in the past, I intentionally keep the “admin” username around. It only has “subscriber” privileges, so 1) it’s there, so the script kiddies keep trying to brute-force it, rather than attempt a legit username; and 2) even if they manage to brute-force it, they can’t do anything when they do.


  2. For what it’s worth, it’s actually “Viper007Bond” and I’ve been running the plugin on my blog for a very long time. I just never got around to blogging about it. :)


  3. I’ve definitely seen an increase in this recently too. I used to get maybe one Limit Login Attempts email every couple of months, now I’m getting one or two a day.

    The attempts seem to come from a range of different IPs, and have always tried “admin” as the username, without fail.

    I’m not too worried about a brute-force attempt being successful, but it’s nice to know Limit Login Attempts is keeping me informed!

  4. bob

    Always setup your admin user name with a 2 digit suffix like this: admin33. Hackers always assume it is admin so most times this alone will keep you safe. Then of course you will need a good strong password.

    Another thing I have just started using is a plugin called ecstatic. it is a stats plugin but does other things also such as login security. If you get a certain number of login hits per so many seconds then it will block any further attempts from that IP for 15 minutes. I have no affiliation with ecstatic, I just like it.


  5. I too use this plugin a lot. It’s great for capturing the ip addresses in order to block them from the server. Sometimes I see someone trying to break in to one my sites every two minutes from 8:00 AM until sometimes 12:00.


  6. This plugin is great, i usually get 2 -3 e-mail’s a week of someone attempting “admin” i have only had a problem with one IP that kept coming back that i had to block using .htaccess.


  7. A couple things I’d like to see make it into WordPress core would be user capability administration and some enhancements to login/registration security, like bot registration restriction and login attempt limitations. Those are things I think shouldn’t be left to plugins, in my opinion.


  8. How about hiding the keys to the kingdom through some handy htaccess obfuscation? Change the following variables in CAPS in the following code. This code assumes WordPress is installed at the site root. If you were to change WordPress Tavern’s login using the code and suggested variable, the new login url would be wptavern.com/login.

    Variables

    LOGINSLUG = to replace wp-login.php – can be something as simple as “login”
    ADMINSLUG = to replace wp-admin – can be something as simple as “admin”
    REGISTERSLUG = to replace wp-login.php?action=register – can be something as simple as “register”
    SECRETKEY = like a password…use several characters…out of ideas use a password generator or portion of a WordPress salt key at https://api.wordpress.org/secret-key/1.1/salt/
    SITEURL = the site url (e.g., wptavern.com)

    htaccess CODE

    RewriteEngine On
    RewriteBase /
    RewriteRule ^LOGINSLUG wp-login.php?SECRETKEY [R,L]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^ADMINSLUG wp-login.php?SECRETKEY&redirect_to=/wp-admin/ [R,L]
    RewriteRule ^ADMINSLUG wp-admin/?SECRETKEY [R,L]
    RewriteRule ^REGISTERSLUG wp-login.php?SECRETKEY&action=register [R,L]
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/wp-admin
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/wp-login\.php
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/LOGINSLUG
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/ADMINSLUG
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/REGISTERSLUG
    RewriteCond %{QUERY_STRING} !^SECRETKEY
    RewriteCond %{QUERY_STRING} !^action=logout
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^wp-login\.php not_found [L]


  9. P.S. At my first comment some code got stripped.

    Add “IfModule mod_rewrite.c” to the beginning of the htaccess code with opening less-than and closing greater-than signs.

    Add “/IfModule” to the end of the htaccess code with opening less-than and closing greater-than signs.


  10. I use the Limit Login Attempts plugin too, and login attempts were increasing lately on my end too. But now, when I changed the login URL by using the Better WP Security plugin they finally vanished entirely.


  11. I have limited the logins using .htaccess but my site has just started so I guess not enough hackers and spammers know it about it lol!


  12. Another alternative. Is limiting the IP’s that can access your WP-Admin using .htaccess Rules.
    Which will save the overhead of running a plugin.

    If you have a static IP all the better.
    But mine at the moment is restricted to x.x.x.ALL as the IP Restriction, as the first three octets form the IP generated when I connect to my VPN provider.

    So in order to access my blogs WP-Admin, I have to first connect to my VPN.
    Does the job :-D

    I echo Bob’s sentiments of using a alternative username for the install created admin user.
    I don’t use admin of a combination of admin myself.


  13. I use a plugin called User Locker which limits the number of login attempts before the user is locked out. But it lacks an e-mail notification feature (apparently). I guess I really don’t want to know how much evil lurks out there. Fool’s paradise, I know. :(


  14. I’ve noticed an uptick in failed login attempts on my site as well. I have to think that it is a bot, because a person should just get frustrated after a few attempts and give up. Attempting a brute force attack on a system that times out for 20 minutes after 3 attempts seems very foolish, but then again, just like those many repeated email password phishing scams, someone, somewhere takes the bait or uses a simple password and the default user name.

  15. Doug Millington

    I’ve also used Login Lockdown which does the same thing as Limit Login Attempts – also you might want to change your WordPress user name to something other than “admin” so it makes it even more difficult to get in.


  16. Thanks for the info. I will suggest it to my web servcie



  17. Ive had a similiar experience and can’t recommend this plugin enough. The other one I like is Lockdown WP Admin. It allows your to set your own path for where the login page lives and blocks wp-admin from being accessible to the outside world. They can’t hack you if they don’t know where to login!


Comments are closed.