Login Attempts – Login 301 and 302 Errors logged

[AITpro Admin]

Email Question:

This seems to happen in waves about each month, but my website is being bombarded with attempts to access wp-login and wp-admin (see below). In general this is not a problem as I do not have an ‘admin’ user and I have a strong password .

However, I thought these attempts would be denied or blocked. Instead they return 301’s or 404’s.. Surely there are sections of the htaccess file that deny this. Are they working correctly, or is there some problem with my htaccess file?

Cheers,
Mark

21-23-188-190.cab.prima.net.ar /blog/wp-admin/ 4/11/13 12:02 AM 302 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
21-23-188-190.cab.prima.net.ar /wordpress/wp-admin/ 4/11/13 12:02 AM 301 Mozilla/5.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
21-23-188-190.cab.prima.net.ar /wp-admin/ 4/11/13 12:02 AM 301 Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.15 (KHTML, like Gecko) Chrome/24.0.1295.0 Safari/537.15
96-234-195-190.cab.prima.net.ar /blog/wp-login.php 4/11/13 12:00 AM 302 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)

[AITpro Admin]

These are classic automated spam bot or hacker bot probes/recons looking for login pages.  What gives that away is that the host name stays the same, but the User Agent changes with each probe.  Most likely an additional automated bot script is doing something else that is not reflected/shown in the 301 and 302 logged errors, such as looking for some vulnerability or exploit in your login code.

It is a pointless and futile effort to try and block by IP Address, Host Name or User Agent since these things can all be faked and completely automated in the bot program.  BPS does not bother with doing something this since it is a waste of time, but if you would like to block by IP address (not recommended) then see this Forum topic:  http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address/

Example:  hacker or spam bot automated script does something like this.  If IP Address X is blocked then automatically switch to IP address Y.  If host name X is blocked then automatically switch to host name Y.  If user agent X is blocked then automatically switch to user agent Y.  etc etc etc etc etc.

What is important is that you have Login protection and spam bot protection.  BPS Pro 5.8 will have a new Login Protection feature added.  If you are currently using a Login Protection plugin then it should be doing something similar to this – after X number of failed login attempts lock the user account.  You should never have your actual Admin user account (not the WordPress default admin account – your actual own personal Admin account) displayed publicly, otherwise your admin account will be repeatedly locked out.

[Paul D.]

BPS Pro 5.8 will have a new Login Protection feature added.

NICE !!!

[WayneM]

…after X number of failed login attempts lock the user account…

 

Wouldn’t this action put any real user account at risk of being locked out if the bot or bad person is attempting to access the site with a real user name?

And, won’t users who have their usernames published as authors be the prime targets for this sort of abuse/problem?

Thanks again for the great plugin.

[AITpro Admin]

First off you should never ever have your username publicly displayed.  Usernames should never be user friendly either or guessable.  Why?

I’m sure you have heard the WordPress phrase – “Security through obscurity”.  It is the most misunderstand WordPress phrase.  It does not mean trying to hide something.  It means to make something impossible to guess or find.  Similar to hiding, but not really the same thing.

WordPress allows you to choose the username that you want to display publicly and you should ALWAYS choose something other than the actual username/user account name.

Here is the answer to “Why?” above.

If a hacker has your username then you have given the hacker a huge advantage and the hacker has one known piece of information as a starting point to start cracking your login password.

Now let’s do it the right way and follow the intended meaning of the WordPress phrase “Security through obscurity”.

Example Secure Username/User Account name:  JX36HP32Y6Q – this username/user account is NOT displayed publicly anywhere and is not guessable/is very obscure.

Example Secure Password:  r#!P42T@h29V!Eb4$78T – would take months to years to crack even if the hacker has the username/user account name.

Ok so now to answer your question.  If the hacker cannot find or guess the username/user account then the useraccount will never be locked out because there will not be any attempts at cracking that username/User account login.

As a test I left a testing site without any Login Protection for over 2 years and many login cracking attempts were made on that site (admin, administrator and various other random useraccount names), but the actual “Administrator” username/User Account name had zero login cracking attempts because that “Administrator” username was not publicly displayed/known.  The password was never cracked because the username and password were using the example obscuring methods above.

On another testing site I displayed the username/user account publicly and created a semi-secure password.  That site did not have login protection and the login password was cracked within a week and the site was successfully hacked/controlled/owned.

In summary, you do not even need login protection if you have never exposed an obscure username publicly and are using a very secure password.

[WayneM]

Right. Got it.

I’ve made the stupid mistake of not using “Admin” and thinking that was good enough.  Yes, my username and display name are the same – Doh! 🙁

Looks like I’ll need to correct that in numerous installations.

This leads me to believe that there must be gazillions of WordPress admins who have probably misinterpreted that bit of WP security and made the same goof I have. Furthermore, other users (site visitors who sign up for accounts, etc) probably don’t make the distinction, or take advantage (or even sometimes have the option depending the community site plugin) of having a display name that is different than the account username. — I wonder if there is a plugin to help fix that?! 🙂

 

 

[WayneM]

I just took a look at one of my WP admin sites.  In the user panel under the option to edit profile I see the phrase “Usernames cannot be changed.”

Do you have any tips on  a good way to change a username without having to reassign all the posts, pages, and whatnots to a newly named obscure admin account?

edited ….

Never mind…. Doh! my brain is fried today. If I delete the old account, It will probably ask me who I want to assign all that to…. (typed before thinking again)

[AITpro Admin]

Yep, you are absolutely correct – most folks are completely exposed/vulnerable and they are not even aware of that.

I have been planning on creating a Forum Topic that will fully explain what the intended meaning of “Security through obscurity” is supposed to mean and also include step by step measures/a check list that folks can follow to maximize their site’s security and to minimize general vulnerabilities.

Since WordPress already allows you to NOT display your username publicly then an additional plugin would not be needed to do that.

[AITpro Admin]

The correct way to create a new “Administrator” account is this.

Create the new obscure “Administrator” user account.

Log out of your site and log back in with that new “Administrator” account you created.

You can now delete your old “Administrator” account.

[WayneM]

Thanks again – You are the best.

The reason I came here today was because of  a news article I saw today about how WP sites are under a recent intense bonet brute force login attack. Then I saw that BPS is going to be adding a login protection feature and I was very pleased.  Any idea on the timeframe for the release?

[AITpro Admin]

BPS Pro 5.8 Login Protection tentative release date is between 5-1 to 5-15.

[WayneM]

Regarding all that obscure username stuff….

If I hover over your username in the forum here, it looks like I might be seeing the username part of the login credentials needed before guessing at the password ??  (perhaps minus a few special characters – which would help)

[AITpro Admin]

Yeah there is a way to hide the BuddyPress username, but I am not doing that.  The secure password gets changed weekly and it is a 21 character secure password that would take months to crack so by changing the secure password weekly there is nothing to worry about in the case of the BuddyPress Forum.

[Author]

Posts