Are these access.log entries successful wordpress login attempts?
I am hosting some wordpress sites on an apache 2.4 webserver, and I have discovered thousands of entries in my server logs like this:
221.219.219.248 - - [09/Mar/2015:03:29:25 +1300] "GET /example.com/wp-login.php HTTP/1.1" 200 6656 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 221.219.219.248 - - [09/Mar/2015:03:29:26 +1300] "POST /wp-login.php HTTP/1.1" 302 644 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 162.144.120.185 - - [13/Mar/2015:07:19:18 +1300] "POST /wp-login.php HTTP/1.0" 302 608 "-" "-" In these cases the server is giving a 302 response, which looks to me like wordpress is redirecting them back to the login page, which indicates a failed login attempt. then I saw entries like this
78.7.148.218 - - [14/Mar/2015:06:42:31 +1300] "POST /wp-login.php HTTP/1.1" 200 1695 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0" where the HTTP response is a 200 . Did the brute force login attempts obtain passwords and are these actual successful logins?
1 Answer 1
First of all, here is how it’s handled by default when you visit the login page and try to log in:
POST /wp-login.php [invalid credentials] -> 200 POST /wp-login.php [valid credentials] -> 302 So it’s the other way around than what you assumed. 302 means valid credentials (redirect to admin area), while invalid credentials result in 200 (stay on login page).
There are however various ways you can achieve a 302 without passing valid credentials. For example, you could add a POST field containing action=postpass , which would result in a cookie being set, and wp_safe_redirect (which by default uses 302) being called with the referer that was passed.
There are a lot of other actions that would result in a 302, for example action=register .
So while I can’t say for sure that there were no successful bruteforce attempts, it could very well be that those 302 attackers are just scanning your website to check if your registration is open (possibly to register and then try to escalate their privileges). It could also be that their bruteforce tool is misconfigured.
Как избавиться от ошибок admin?attempt=1 и wp-login.php?action=postpass?
Здравствуйте! У меня две проблемы сразу и обе они связаны с ошибкой при авторизации. Есть сайт на WordPress, хостинг провайдер Reg.ru. Так вот, первая ошибка возникает тогда когда я захожу на сайт и в адресную строку дописываю /admin. Жму enter и мне автоматом подставляет к /admin вот это ?attempt=1 и получается /admin?attempt=1. Что это значит? По какой причине такое может возникать? Самое интересное что эта ошибка появляется через раз. То есть после того как мне дописывает ?attempt=1. Я просто стираю всё кроме домена и снова ввожу /admin и всё нормально. Теперь по поводу второй ошибки. На том же сайте есть страница, доступ к которой возможен только после ввода пароля(для этого я использовал стандартный функционал WordPress). Так вот, я захожу на эту страницу, ввожу пароль, жму кнопку войти и меня перекидывает на эту страницу wp-login.php?action=postpass. То есть в отличие от первой ошибки, эта возникает уже после ввода пароля. Но эта ошибки как и первая возникает через раз. Я гуглил эту проблему и на официальном форуме нашёл вот такой скрипт который по словам человека с форума нужно вставить в файл functions.php
add_filter(‘allowed_redirect_hosts’, ‘amend_redirect_hosts’, 10, 2); function amend_redirect_hosts($allowed_hosts, $this_host)
Но после того как я его вставляю, ломается весь сайт. Должен отметить что этот же сайт есть и на другом хостинге, а именно на BeGet. И там таких проблем нет. То есть ни первая, ни вторая ошибка там не возникает. Правда на Бегете не точная копия этого сайта, а более старая версия. Поэтому я не могу точно сказать что виноват хостинг. Помогите пожалуйста. Буду рад любой помощи! Спасибо за внимание!
How to protect WordPress wp-admin and wp-login.php attempts
It is better to protect WordPress Admin to save your blog from invalid login attempts and gives an extra layer of security.
In this article, we will show you a step by step guide on how to password protect your WordPress admin (wp-admin) directory. It will prevent your WordPress blog from unauthorised wp-admin and login attempts. So let’s start.
How to protect WordPress wp-admin and wp-login.php attempts
1. Login to your Cpanel and click on Password protected Directories under Security section.
2. Select your document root directory and click go. On next screen Click on wp-admin directory name.
3. Check the box ‘Password protect this directory’. Give the name to the directory and click save.
Your wp-admin directory is now password protected. Click on Go back button from next screen this will redirect you to the previous screen. Now we will create the user for this directory.
4. For this, Enter User Name and Password and click on ‘Add or Modify the Authorised User button’. You can use Password generator for strong password.
Now when you try to access your wp-admin directory, you should see an authentication required box. If you have redirect loop instead of authenticated box. Put the following lines in the .htaccess file just before the “# BEGIN WordPress” tag.
ErrorDocument 401 default ErrorDocument 403 default
5. Now go to file manager>>wp-admin>>.htaccess. Now we provide the access to admin-ajax file which will necessary for some plugins to work efficiently. Put the following code in the .htaccess file of wp-admin folder.
# Allow plugin access to admin-ajax.php around password protectionOrder allow,deny Allow from all Satisfy any
6. Copy the following code from “/public_html/wp-admin/.htaccess” file.
AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
7. and paste it in the “/public_html/.htaccess” file between the ‘FilesMatch’.
AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
8. Now click on save changes and all done. Try to login on WordPress Admin Dashboard and you will get Security Authenticated Box.
Now Both your .htaccess files should look like:
/public_html/.htaccess
ErrorDocument 401 default ErrorDocument 403 defaultAuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
/public_html/wp-admin/.htaccess
# Allow plugin access to admin-ajax.php around password protection Order allow,deny Allow from all Satisfy any AuthType Basic AuthName "Secure Dir" AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd" require valid-user
Now your WordPress Admin login has an extra layer of security and it prevents unauthorised login attempts. When someone tries to login to your dashboard he has to pass valid authentication. If the user enters invalid credentials he will get Authorisation required error.