Update On My Use Of Limit Login Attempts

Alex who also goes by Viper007Bond has recently installed Limit Login Attempts on his personal blog because someone is trying to brute force their way into his site. I’ve mentioned this plugin before and his post reminded me that I should probably give you all an update as to the results I’ve seen over the past few months.

Since January 1st, 2012 there have been 75 email notifications sent to my inbox letting me know of an IP address that failed to login to the back-end of WPTavern three times in a row. In almost every case, the notifications look like the following with the IP address being different.

3 failed login attempts (1 lockout(s)) from IP:

Last user attempted: admin

IP was blocked for 20 minutes

There have only been a few times when Webmaster and even fewer with Jeffro as the attempted username. I receive multiple notifications every day with some spurts of 3-4 different IP addresses failing to login. I have no idea if these are real people or bots trying to login but thankfully, Limit Login Attempts is keeping me abreast of all the failed attempts. It’s definitely a plugin you should consider installing for the sake of monitoring the activity of failed login attempts. This is also a reminder that if you are using admin as your administrative username or have that username within the Administrator role, you’re begging for trouble.


20 responses to “Update On My Use Of Limit Login Attempts”

  1. Limit Login Attempts continues to be an awesome Plugin.

    I’ve noticed an uptick in brute-force attempts in the past couple months, too. I’m thinking about lengthening the lockout period, but otherwise I’m not worried.

    As I’ve said in the past, I intentionally keep the “admin” username around. It only has “subscriber” privileges, so 1) it’s there, so the script kiddies keep trying to brute-force it, rather than attempt a legit username; and 2) even if they manage to brute-force it, they can’t do anything when they do.

  2. I’ve definitely seen an increase in this recently too. I used to get maybe one Limit Login Attempts email every couple of months, now I’m getting one or two a day.

    The attempts seem to come from a range of different IPs, and have always tried “admin” as the username, without fail.

    I’m not too worried about a brute-force attempt being successful, but it’s nice to know Limit Login Attempts is keeping me informed!

  3. Always setup your admin user name with a 2 digit suffix like this: admin33. Hackers always assume it is admin so most times this alone will keep you safe. Then of course you will need a good strong password.

    Another thing I have just started using is a plugin called ecstatic. it is a stats plugin but does other things also such as login security. If you get a certain number of login hits per so many seconds then it will block any further attempts from that IP for 15 minutes. I have no affiliation with ecstatic, I just like it.

  4. A couple things I’d like to see make it into WordPress core would be user capability administration and some enhancements to login/registration security, like bot registration restriction and login attempt limitations. Those are things I think shouldn’t be left to plugins, in my opinion.

  5. How about hiding the keys to the kingdom through some handy htaccess obfuscation? Change the following variables in CAPS in the following code. This code assumes WordPress is installed at the site root. If you were to change WordPress Tavern’s login using the code and suggested variable, the new login url would be wptavern.com/login.


    LOGINSLUG = to replace wp-login.php – can be something as simple as “login”
    ADMINSLUG = to replace wp-admin – can be something as simple as “admin”
    REGISTERSLUG = to replace wp-login.php?action=register – can be something as simple as “register”
    SECRETKEY = like a password…use several characters…out of ideas use a password generator or portion of a WordPress salt key at https://api.wordpress.org/secret-key/1.1/salt/
    SITEURL = the site url (e.g., wptavern.com)

    htaccess CODE

    RewriteEngine On
    RewriteBase /
    RewriteRule ^LOGINSLUG wp-login.php?SECRETKEY [R,L]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^ADMINSLUG wp-login.php?SECRETKEY&redirect_to=/wp-admin/ [R,L]
    RewriteRule ^ADMINSLUG wp-admin/?SECRETKEY [R,L]
    RewriteRule ^REGISTERSLUG wp-login.php?SECRETKEY&action=register [R,L]
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/wp-admin
    RewriteCond %{HTTP_REFERER} !^(.*)SITEURL/wp-login\.php
    RewriteCond %{QUERY_STRING} !^action=logout
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^wp-login\.php not_found [L]

  6. P.S. At my first comment some code got stripped.

    Add “IfModule mod_rewrite.c” to the beginning of the htaccess code with opening less-than and closing greater-than signs.

    Add “/IfModule” to the end of the htaccess code with opening less-than and closing greater-than signs.

  7. Another alternative. Is limiting the IP’s that can access your WP-Admin using .htaccess Rules.
    Which will save the overhead of running a plugin.

    If you have a static IP all the better.
    But mine at the moment is restricted to x.x.x.ALL as the IP Restriction, as the first three octets form the IP generated when I connect to my VPN provider.

    So in order to access my blogs WP-Admin, I have to first connect to my VPN.
    Does the job :-D

    I echo Bob’s sentiments of using a alternative username for the install created admin user.
    I don’t use admin of a combination of admin myself.

  8. I’ve noticed an uptick in failed login attempts on my site as well. I have to think that it is a bot, because a person should just get frustrated after a few attempts and give up. Attempting a brute force attack on a system that times out for 20 minutes after 3 attempts seems very foolish, but then again, just like those many repeated email password phishing scams, someone, somewhere takes the bait or uses a simple password and the default user name.

  9. I’ve also used Login Lockdown which does the same thing as Limit Login Attempts – also you might want to change your WordPress user name to something other than “admin” so it makes it even more difficult to get in.

  10. Ive had a similiar experience and can’t recommend this plugin enough. The other one I like is Lockdown WP Admin. It allows your to set your own path for where the login page lives and blocks wp-admin from being accessible to the outside world. They can’t hack you if they don’t know where to login!


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: