I got this message
8 failed login attempts (4 lockout(s)) from IP: 91.200.14.72
Last user attempted: admin
IP was blocked for 24 hours
so it could be legit but it could be someone try to hack in i’d guess.
Could i get some suggestions on what to do to improve the safety? add the ip to a block list?
thx
D
Depends on what they are trying to log into, and what kind of hosting you have. You could add the ip to a block list, but if it’s an automated or determined attempt then it can easily swap to another one. The ip you have listed is from what I’d consider a abd network neighbourhood, it’s almost certainly a malicious attempt. The inverse to blocking one ip is more effective (block them all, allow only whitelisted ips, which is only an option however if you are going to access the system from set ip addresses)
Blocking IPs has it’s downside.
For example, if your site has a global audience you may not want to block a Russian IP, but if you don’t care if anyone using a Russian IP is blocked you could add it to a blacklist.
Keep in mind that there are a vast number of IPs that can be used. In this case it might be best to block a range of IPs i.e.
91.200.14.xxx or even more.
A 24 hour lockout seems extreme if someone legit did something like have their Caps on by mistake.
There are other things you can do in addition to repeat FAIL attempts. Various forms of CAPTCHA for example. Personally, I think the most effective is to block anonymous proxies.
Thank you all.
I am using wp here how would i go about creating a white list & doing a block anonymous proxies?
For WordPress I guess the easiest way would be to use (a) plugin(s).
Bad Behavior has both blacklist and whitelist, but “Last Updated: 2013-12-24”
It’s old and I haven’t tried it but there’s WP-Spamhaus
If those no longer work or are no longer supported I imagine more recent could be found with some searching.
& in the crazy case i didn’t want to use a plug in (wich i probab will so long as it is safe)? .htaccess?
Yes. Just add
order allow,deny
deny from 91.200.14.72
allow from all
or to block a range, you can use
order allow,deny
deny from 91.200.14.
allow from all
(or just 91.200. - you get the idea.)
I’m also a big fan of letting the bad guys ban themselves: http://perishablepress.com/blackhole-bad-bots/
I didn’t check TB’s perishablepress link but it looks like a “honey pot” to take bad requests into a “sandbox” where they can try an infinite set of links and remain in the “sandbox” (away from your admin files). There are “honey pots” which have been around for some time (i.e., Google to find one which suits you).
I prefer TB’s method of adding a deny line in the .htaccess and have done that in an automated fashion on one website. Anyone entering what looks like a good directory (like WP’s admin - assuming that you’ve renamed the actual admin directory according to the installation directions) where ANY attempt to access the directory will cause the IP address to be captured and added to the DocumentRoot’s .htaccess (in another line in the allow,deny block as shown above).
Before going to any extreme like that, though, be SURE that you’re using an horridly complex (http://strongpasswordgenerator.com) password for every account with access to the WP manager (as well as your WHM/cPanel and FTP - telnet, too, if you allow it to be used despite all recommendations I’ve seen).
If you’re worried about someone having gotten in, search SitePoint for my article on a daily CRON comparing file hash values. Because they should NEVER change (unless you’ve patched/updated WP), any change or addition will highlight a probable malware addition to your code (meaning that you’ve got to check your database for additional ADMIN users AND DELETE all executable files – at least all .html, .js and .php files – THEN upload the ones from your MASTER set to restore your website quickly).
Regards,
DK
Personally I quit caring about this – we just use SSL and 2 factor auth. People are always going to bang on the door, especially well known public facing doors or architecturally flawed open source CMS products typically configured by amateurs.
Thank you all will follow up on all advice and suggestions
D
technobear if you have attempts for more than one ip can you do:
order allow,deny
deny from 91.200.14.
deny from 185.###.##
deny from etc...etc..
allow from all
or do i need comas or other delimiters?
thank you
D
If you’re using full IP addresses, you can just separate them with spaces:
order allow,deny
deny from 91.200.14.72 54.221.222.248 173.194.34.145
allow from all
I’m not sure if that works for partial IPs, but
deny from 91.200.14.
deny from 54.221.
deny from 173.194.34.
is definitely OK.
Hi techoBear just saw your reply. thank you.
however wonder if i am doing it wrong.
i grabbed the htaccess file
it already has this in it
# BEGIN WordPress
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\\.php$ -[L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{{REQUEST_FILENAME} !-f
RewriteRule . /index.php[L]
</IfModule>
#END WordPress.
i added my code above the begining # sign.
order allow, deny
deny from ##.###.###.###.
allow from ##.###.###.###.
soon as transferred it to wp, the site errored out.
Am I doing this wrong? a bit leery of messing w/the original code from wp in this touchy file.
thank you
D
The last line of your code should be “allow from all”, rather than an IP address. This brief guideline might help:
Thank you & good morning
will try this one
"
Order deny,allow
Deny from all
Allow from 255.0.0.0"
"
D
A follow up on the bit below. So it is only one htaccess per directory. am using wp. where should i put the new .htaccess w/the deny/allow ip infor?
[previous]follow up on this. I was told you could stack .htaccess. more than one. went to add a new one to my wp and am not given that option, it looks like it wants. rename and/or overwrite…
How do i go about doing this please? [/previous]
thx
D
I think what was meant by
is that each folder can have its own. eg.
the top level directory contains directives for all files and folders in it
a sub-level folder can have additional rules that apply only to the files and folders inside it. etc.
ok thx Mittineague appreciate the advice.
D