Why you should limit login attempts

limit-logins

Some idiot at 213.155.4.184 hit all my websites over the last few days trying to login to my blogs. He fired off hundreds of automated requests probing and searching and testing my admin login. Each request had a different password. I use difficult to guess passwords but seeing the attempts was disconcerting.

I went searching and found the Limit Login Attempts plugin. After installing, a new page appears under Settings with a wealth of options:

lockout

I’m glad I did install it, it caught the same guy when he hit this blog a few hours later! You should probably install it too.

PS. Matt asked me to explain how I recorded those requests. There is a WordPress plugin that sends an email when a POST request is made but I threw this code into a file and load it with the “auto_prepend_file” directive in my php.ini (saves adding it to every installation of WordPress on my server)

if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
    mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}


You might also like

If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos to explore too!

62 thoughts on “Why you should limit login attempts


  1. I’d agree, Limit Login Attempts is on my “standard” list of plugins to install.

    If possible, I’ll further protect the login and admin areas with HTTP authentication to stop this kind of hammering attack before it even gets to WordPress.


  2. Some dude had a go at one of my sites the other day as well. I killed him with htaccess. This looks cool though, I will look at installing it.


  3. So doesn’t this mean that you’re emailing yourself your username and password every time you log in? That seems like a security risk that’s much more likely to be exploited than someone guessing your password at random.


    1. Yeah, not only that, when any php script is accessed, you get an email. It would be great if this could work for WordPress only.


  4. I just block everything from the Ukraine as well as a few other countries. It’s a drastic measure but none of my websites are aimed at those countries anyway.

    It’s been unbelievable how much it has reduced all the various crack attempts. Naturally such a measure won’t suit everyone though.


    1. You block entire countries from accessing your website because you have some problems with crackers and spammers?

      Nothing on my website is “aimed at those countries” either, but I would never dream of such drastic and completely unnecessary measures. You seriously need to re-evaluate your approach there Robert.


  5. Probably not suitable for everybody. I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.


    1. Stupid question alert:

      How can I do this:

      I’ve limited access to wp-login.php and admin.php by adding an IP filter in .htaccess.

      TIA!
      Cortney


  6. Another idea is to edit your wordpress database and change the admin username from “admin” to something else. I have done that for my school district’s web site as well as local school sites. So, even if someone happens to know the password, they’ll toss and turn to figure out the username. Then, limit login will hammer it down! :)


  7. Thanks for the tip. I went and installed a similar plugin (Login Lockdown) after reading this. I’ve also done what Patrick suggested, and deleted the “admin” user after setting up another admin account with a different name.


  8. Thanks for the heads up and for sharing this useful information!

    Btw, I’ve been using a WP plugin called Login Lockdown that can limit a number of unsuccessful login attempts (brute force attacks), I guess it works just like or has the same concept as the Limit Login Attempts plugin that you’re using.


  9. Hi

    Could you go into some more detail regarding the logging of the failed login attempts. I would be interested in knowing if this is happening to me also.

    Thanks
    Will


    1. Will – just put that code into a file and make sure it’s included. WordPress has a “myhacks” function you could use. (Google it, I don’t have a url at hand)


  10. where does this plugin store the failed logins? mysql?

    i wrote something a while back that limits logins much like this but using eaccelerator.


    1. Login Lockdown is in my list of standard plugins to use on every WP install. Very similar functionality to Limit Login Attempts from the looks of things.


  11. It should indeed be core, isn’t really a massive feature but sure as hell works. Thanks for the plugin link.


  12. Yup, hardening WP/WPMU installs always include changing admin username to something else, plus adding the “login error cleanup” plugin and the “login lockdown” plugin and the htaccess thingy :-)


  13. Unfortunately I did not have all of the Ukraine firewalled like I mentioned in my earlier comment.

    I’ve just had the same IP address trying to bruteforce my blog 3006 times in the past two hours!

    He’s blocked this time around though.


  14. Just to be extra paranoid and annoy the bots, I added a http auth login around wp-login.php on my other VPS. This one uses fastcgi which doesn’t support it unfortunately. (Yes, I could do it in a few .htaccess rules but I don’t have the time to dig into that right now!)


  15. Never knew this was not in the core of WordPress. This is a basic feature of authentication system to block access after 3 wrong attempts.

    This SHOULD GO INTO CORE !!!!


  16. It is incredible: today, my blog Journal de Cuba (in french) had been victim of the same attack and by the same IP !!! This idiot from Namibia did 593 unsuccessful attemps to login. This morning I install the plugin, thank you Donncha for the tips.


  17. IP Tried to log in as
    213.155.4.184 admin (1 lockout)

    Same IP at my site. Good i’ve installed Limit Login Attempts when i’ve saw this post.

    Thank you Donncha


  18. Add this line to your theme’s functions.php file to hide login error messages:

    add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

    That way they can’t tell if they got the username or password (or both) wrong.


  19. Guess what? The same guy from the same IP is trying to get into my WordPress too. Detected after installing this plugin.


  20. I had the same issue from 213.155.4.184 hitting me 3,500 times. CPanel also shows this, and allows you to block ips or ip ranges.


  21. Hi Donncha, I have been using this plugin since you recommended it, and worked fine. Recently, I have been hit by some hacker trying to login simultaneously from multiple IP addresses. This plugin is not so effective in this scenario as each day/time the same clown tries from different addresses, un-stoppable!
    Do you ( or anyone else) know of a solution to RESTRICT LOGIN to an IP or IP range, written into .htaccess or something?
    I also use your WP Super Cache and Domain Mapping, so it needs be compatible with these too.
    Ideas?


  22. After further searching, I found a simple solution and would like to share:

    http://money.bigbucksblogger.com/blog-security-htaccess-block/

    specifically the section titled
    “How To protect Your wp-admin File: Very Secure Method.”

    It seems to work fine. I can login to my sites from home IP, no worries, and logging in through an online proxy (other IP) results in a 404 not found. Lovely!

    What you reckon Donncha, is this method cool?


  23. Nope, it didn’t work. I am still getting hit from various IPs simultaneously. The .htaccess limits entry to directory wp-admin, but they still access wp-login.php. Is /wp-admin still secure from other IP access even though wp-login.php is being hit? or is there a way to limit access to wp-login.php to only my home IP?
    Am I safe???


    1. Just make sure you have a strong password and you’ll be fine. You can use similar .htaccess rules to block access to your wp-login.php too.


  24. Thanks Donncha. I did it, and get 404 page when accessing thru proxy – other IP, so it should work!
    For those wishing to do the same, here it is:
    (replace 111.111.111.111 with your IP)

    Restrict access to wp-admin by IP:
    Make a .htaccess file in directory /wp-admin, and include:

    order deny,allow
    allow from 111.111.111.111
    deny from all

    Restrict access to wp-login.php by IP:
    Add this to .htaccess file in root directory /public_html:

    Order deny,allow
    Deny from All
    Allow from 111.111.111.111


    1. I made mistake, and can’t edit comment.
      CORRECTION:

      Restrict access to wp-login.php by IP:
      Add this to .htaccess file in root directory /public_html:

      Order deny,allow
      Deny from All
      Allow from 111.111.111.111


  25. sorry mate, delete the last few comments, everytime I put the code and submit comment, the code changes. email me and I can send the proper code for you to post. funny thing the comment box changes the code completely!

Leave a Reply

Loading Facebook Comments ...