Handling WordPress failed login attempts on your site

Last updated on April 14th, 2021 by Robert Abela. Filed under WordPress Security

Featured image *Handling WordPress failed logins*

Many alarm themselves when they notice WordPress failed login attempts on their websites. On the other hand, security and tech-savvy people do not bother much about failed login attempts.  After all, every website will get its fair share of bot traffic and dictionary attacks.

Does your WordPress website receive a lot of failed login attempts? This article explains why your WordPress gets such attacks and what you should do about them. It also suggests a number of recommendations to help you improve the security of your website’s login pages.

You notice too many failed login attempts on your WordPress

Those who install an activity log plugin for WordPress on their website are typically surprised by the number of failed login attempts their websites get. So much so that many actually think that as such there is something wrong with the activity log plugin. To highlight this, here is an abstract from the WP Activity Log plugin support forum:

Does this plugin really work?

The activity log shows my site gets so many failed log attempts from various countries like Ukraine, Russia, Vietnam, China etc. almost every day. I am not sure why so many people want to hack my small site. It doesn’t even have much content and I don’t even make any profit from my site as I don’t have any ads or anything. So why my site gets so many failed log attempts? Today some random person from Ukraine tried 10+ times to access my partner’s and my account. I am not sure this plugin really works, or it just generates some false alarms or something.

What the plugin reported were not false alarms. If you install a WordPress activity log plugin on your websites you will see the same activity, even if your website is not popular.

Why are hackers targeting your website?

The majority of attack attempts on your WordPress are not targeted specifically at your website. They are automated bots trying to guess your users’ passwords. Their goal is to find WordPress websites with weak credentials. TIP: enforce strong WordPress password policies.

Your WordPress website is the recipient of such attacks because it is online. It has nothing to do with how popular or not your website is. In fact even non WordPress websites receive such type of requests. Bots just send requests to any responding domain and do not differentiate between WordPress and non WordPress websites. However, typically WordPress websites are targeted because WordPress does not limit the number of login attempts.

Do failed login attempts impact your website’s performance?

The day to day random attacks your website receives do not affect your website’s performance. Only targeted brute force and dictionary attacks can consume an abnormal amount of bandwidth, and very often they lead to a Denial of Service. In such cases, which are not common, there is not much you can do – your web hosting provider needs to take care of such an issue.

What are the risks of too many failed login attempts?

As long as you use strong WordPress passwords, there are no security risks. However, you should consider blocking WordPress users after a number of failed login attempts, as a security precaution. By doing this, you are actually eliminating the chances of an attacker guessing the password of some of your WordPress users. Another best practice is to keep a failed logins history on WordPress, so you can be informed well in advance and act accordingly in case there are suspicious failed login attempts on your site.

Should I block offending IP addresses?

One commonly suggested remediation for thwarting failed login attacks on your WordPress is to block the offending IP addresses. Unless your website is a target of a brute force attack, it is not recommended going down that route. Attackers can easily bypass such blockage and change the IP addresses, so you’ll end up in a cat and mouse game.

Start with the basics – use strong credentials, enable 2FA and follow best practices

Like almost in everything else, start by addressing the basics. Avoid using common usernames such as admin, root, or your first name. Use a combination of letters and numbers for your usernames. For your passwords, use a combination of letters, numbers and special characters. Here are some tips on what makes a strong WordPress password. You should also consider the following:

Improve the security of your WordPress login pages

  1. Only access your WordPress login page over HTTPS, otherwise it is very easy for the attackers to hack the WordPress username and password,
  2. Implement two-factor authentication (2FA)
  3. Put the WordPress login page behind HTTP authentication (this is only practical if a small number of users log in to your website)

Help users keep their WordPress website secure

The security of your WordPress website is only as strong as the users’ password. Don’t rely on your website’s users ability to keep their user account secure. Always:

  1. Enforce strong WordPress password policies
  2. Block WordPress users which have too many failed login attempts

Bonus WordPress login page security tip

If you always access the WordPress dashboard from the same IP address, restrict access to the login page to your IP address only. For more information on how to restrict access to a specific IP address or how to enable HTTP authentication refer to our definitive guide to htaccess and WordPress.

12 comments

John 07/02/2020

Basically if you have a strong password (at least 15 characters long), and change it once a year, you should be fine. I get hundreds of failed login attempts every day, so I just change my password often and don’t even look at the audit trail anymore…

Robert Abela 13/02/2020

Very good point John. Indeed, if you use a strong password and 2FA you should be sorted. But you would still need to review the activity logs from time to time, just ignore the failed logins 🙂

Mike Moy 08/04/2020

Not good, not good.

-Even though failed WordPress logins bear no security risks, in response to this statement, no that absolutely incorrect. You have to realize that every failed login attempt is one step closer for an attacker achieving a successful brute force attack. The times they can get to try different passwords the better change an attacker has.

Should I block offending IP addresses – yes absolutely you should block offending IP addresses for a pre-determined amount of time if not permanently. If hacker is having to change their IP address constantly it will make your site less appealing for a hacker to put in effort compared to a site that does not block IP addresses.

Also you should be logging IP addresses for repeat offenders. Display an onscreen message informing them that their IP address has been logged. Use it as a deterrent. Report it to the relevant authorities and their internet service provider if known.

Also if hackers are using a particular username to try brute force attack access then block that account from accessing your site for let’s say 20 minutes every time they fail to log in 5 times in a row. Track number of failed login in attempts per username. Again if a Hacker is only able to try 5 passwords every 20 minutes it will act as a deterrent. Hackers want to be using thousands of passwords per hour to make an effective brute force attack.

-Avoid using common usernames such as admin, root, or your first name, in response to this statement you should be aware that if you make blog posts with your account on your wordpress website anyone can get your username. So if you are making blog posts you should be doing it with an account that has very limited permissions, that way if that account does get hacked damage limitation will be in place. You don’t want you account with admin privileges getting hacked. Don’t blog post with a high level account it takes about 2 seconds just by reading through the page code in the browser it will not matter what you changed your username to.

Also plugins are not good for security, they are one of the biggest vulnerabilities on wordpress. Plugins contain code that you did not write. Plugins can contain vulnerable code. If you use plugins you are completely relent on the plugin owner/developer to ensure that the plugin code is kept up to date and that there are no new security issues with their code. The less plugins the better.

Protect your data and protect your website members/users data. Restrict file and folder access as much as possible. If a user does not need access to certain directories on your server then restrict access. Log onto your server and check what permissions you have set for the various directories and files on your server. Start by making sure that users don’t have access to your wp-config.php file, it contains your database username and password. You don’t want people being able to log into your database, or they will have access to every single user account on your website including yours. I’m probably gone a bit off script here but you get the idea.

Website security is a layered approach, you should not be relying on a single fail point i.e. just use a strong password and you are good. Don’t be an idiot.

Robert Abela 15/04/2020

Thank you for your comment Mike.

I do agree with you that one should not use common usernames (such as admin and root), however, blocking IP addresses and doing all that work (like keeping a record of repeating offenders) is like playing a never ending cat and mouse game. Unless your website is targeted by a large scale brute force attack, you should not go down that route.

Also, saying that the plugins “are one of the biggest vulnerabilities in WordPress” and that they “contain code that they did not right” is untrue, very misleading and sensationalism. Quite frankly, all of the software you use to host your website (the Apache web server, the operating system it is running on, the countless services that make up the web server) and WordPress itself were not written by you.

We should try to be more constructive and realistic when talking about security etc. Pointing fingers and saying “everything is wrong / bad / insecure” is counter productive and won’t lead us forward.

My 2c.

Mike 27/04/2020

@Robert Abela

I didn’t say “everything is wrong / bad / insecure”. Instead I actually gave specific examples of insecurities and advice for how to avoid those specific insecurities as I felt there was some mis-information on the page.

You state that because WordPress and Apache software is considered secure we should also consider wordpress plugins secure. They are not the same, the difference is WordPress and Apache software is well established and has been tried and tested on millions of installations over many many years. Where as wordpress plugins are not by default, for example a guy with 2 weeks coding experience could create a wordpress plugin riddled with security issues and publish it for anyone to download and install. This coupled with the fact that a plugin might not get necessary updates is why wordpress plugins are one of the biggest security risks. Sure there are many great wordpress plugins out there that have well written code but there are also many security vulnerable plugins. Because WordPress and Apache software is secure does not mean that a wordpress plugin is secure.
I do not agree that it is a cat and mouse game with regards to blocking IP addresses, if you not problematically blocking then you are allowing hackers to execute brute force attacks or denial of service attacks. One hacker could guess thousands of login passwords in a single day. I would be taking the logic that if an IP address has 50 failed login attempts in a single day that they should be banned as they are clearly not genuine, as a genuine user would have used the ‘forgot password’ mechanism after a few failed attempts.
Netflix and Amazon Prime block certain IP addresses also on their platforms for licencing purposes, they don’t see it as a cat and mouse game. Please explain your logic as to why you are advising people not to block IP address ?

Robert Abela 29/04/2020

Thanks for your response @Mike.

1) I never said that because WordPress and Apache are considered secure we should also consider WordPress plugins secure. I said that saying (quoting you) “Also plugins are not good for security, they are one of the biggest vulnerabilities on wordpress. Plugins contain code that you did not write.” is very misleading. The world is not black and white, but there are many shades of colours in between. And the same applies here, like in everything else. So we could be more accurate by saying “There are many good and well maintained plugins, but there are also many unmaintained and potentially vulnerable plugins. So not to jeopardize the security of your website always use a well maintained, reliable plugin.”

2) Comparing a WordPress website (of any size) to Netflix and Amazon is like comparing oranges to apples. Most WordPress site owners do not have the same resources and infrastructure to do that. And someone abusing a license (resulting in loss of money) is different than an IP generating failed logins. The same to what I said in regards to plugins applies here, there is no good or bad here. Trying to keep a record of offending IPs is a cat and mouse game. However, if you do notice that some IPs are in fact generating a high number of failed logins, then speak to the web host and they will take care of it. Addressing this problem at WordPress level is very inefficient. It is time consuming and resource hungry.

Typonaut 30/07/2020

I agree with Mike. If you are getting repeated login attempts then you should block the IP addresses and report the issue to the ISP concerned. The reason you should do this is, as Mike suggests, because this is just a symptom of a bigger attack. Although you might only get a few attempts from a particular IP (typically I am seeing three at a time), these aggregate over time (where the same IP address does the same thing, over an extended period of time) and between different IP addresses.

So, multiple attempts from multiple IP addresses add-up to a distributed brute-force attack over time.

Robert says you don’t want to spend the time tracking all those IP addresses and individually banning them. But you don’t have to. Use an automated process to block the bot at the device’s firewall. For example, using fail2ban to scan your server logs will automatically ban IP addresses (after a certain number of attempts – which you can set) for a period you can determine, and report the incident to the ISP.

Robert Abela 31/07/2020

I am not saying one should not report any IP addresses at all. The way these things should be dealt with is on a case by case basis. My point was that you will always get a handful of failed logins on a daily basis on your site, and the more popular it becomes, the more you will get. It is not worth trying to block the IP addresses that generate such a small amount of failed logins. However, one should use a sort of online CDN / firewall service that helps in mitigating this issue.

Oscar Blanco 25/05/2021

I have a question.
Since my sites were all killed a week ago. After the backup. I changed all their passwords to longer more complex and randomized character strings.
But not only that, I also upped the site’s security, with firewalls.

And then I did something else.
I had an epiphany (or so I think), and since I access my sites via a Cpanel (don’t use the login page on each side), I decided to hide the actual wp-login.php files under another name and replaced them on each side with a fake one, that has every link changed to “#”, including the “Log in” button.

So a bot accessing /wp-admin will get sent to that fake page, and then, NOTHING should happen.

Nevertheless, I have started getting failed login attempts warning from one of the plugins I have installed on those sites (Limit Login Attempts Reloaded).

My question is, or rather are:

How is that even possible???
Can bots actually find the correct file even if it has a different name?
Should I try deleting the files completely?
Is there a possibility that the actual “attacks” are generated by a company that wants to scare me into getting their “premium” security plugin version?

I’m very confused and paranoid now.

Thanks for any feedback on this (btw, I’m not a technical guy, rather a basic WordPress user).

Robert Abela 26/05/2021

Thank you for your comment Oscar. I would definitely eliminate the probability that a security company is generating such attacks. There are many other easier ways how to promote products, that is too much of a hassle!

I do not know how you “replaced the wp-login.php file” but you cannot simply rename the file. You should use a plugin to do that. Alternatively, you can also add HTTP authentication in front of your WordPress login page. This is practical if you have a very small team of people. It’s like adding an additional layer of authentication in front of your WordPress login page. I hope that helps.

Prince Dubey 03/06/2021

I have installed a plugin called login attempts, and also installed sucuri and they are showing me every day 8 thousand login attempts are going on my website. I am I want to know if there is any option to stop this.

Radostin Angelov 07/06/2021

Hi Prince,

Thanks for reaching out!

The first thing you should check is if the failed login attempts are happening on an existing user account. If that’s the case, you should make sure that the users are using strong passwords and have 2FA enabled.

If the failed logins attempts are coming through randomly (using generic / non-existent usernames) I wouldn’t worry much about them.

In case the attempts are too many, and they start affecting the performance of your website, you can try blocking the IP addresses in order to reduce the volume. However, you should note that the attackers can easily change their IP, meaning that they can easily bypass the blocking. In this case, the best thing you can do is to talk to your web host.

I hope the above information is of assistance to you.

Best wishes,
Rado

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins