Just got notifications of several log in attempts to my site as admin

[ravenazrael]

I am getting a lot of notifications from these spammers
192.99.154.24
77.247.181.162

they are using TOR.. what should I do.. SO far 50 trials with different IPs all appear as blocked by google

[jscott]

are they hitting your login.php page (wordpress) or some other login page? You can ask your host to password protect that login page.

[mikesouth]

I get them at least once a day I cant protect my login page because I have members that comment and that wouldnt really be conducive The first thing you want to do is make sure that if the admin account exists it doesnt have admin privileges just ordinary ones that way if they do manage to brute force it it doesnt get them anything if you have wordpress by all means run wordfence.

there are some php and some apache stuff to weed out some proxies...google it


if ya need more help hit me up via email

[Paz]

You can get a list of tor IP's here and block them;
https://check.torproject.org/cgi-bin/TorBulkExitList.py

The list is very dynamic though I pull a fresh my list every 15 mins.

[klinton]

use wordpress plugins, like: captcha on wp-login and bruteprotect

[JuicyBunny]

Quote:

Originally Posted by ravenazrael

I am getting a lot of notifications from these spammers
192.99.154.24
77.247.181.162

they are using TOR.. what should I do.. SO far 50 trials with different IPs all appear as blocked by google

Familiar IPs. We get a lot from UA, CN, KR, HK and ID cause of the content.
Get Word-Fence plug in or Fail2Ban

Got our first from a TOR exit IP recently as well.

[ravenazrael]

Hellog guys, thanks. I already have wordfence. Good idea about the admin privileges.
Mike, I will be contacting for sure if I need more guidance! thanks!!

I used to get one or two every dat, but yesterday 50 different Ips (each was lock oit after 20 attempts) really made me wonder was going on

[freecartoonporn]

rename login.php to somethign else.,

[suesheboy]

Quote:

Originally Posted by freecartoonporn

rename login.php to somethign else.,

Step 1 is this.

Never use defaults is always step 1 on an install, step 2 is to keep records of what you change them to.

[NaughtyVisions]

I use wordfence and the user locker plugin. User Locker automatically locks an account with too many failed login attempts, and it can't be restored unless another administrator removes the lock.

Plus you can manually lock accounts, so the first thing I do is create "admin" to set up my wordpress, then create a different user name with administrator privileges; log into the new account, and lock and disable "admin."

[Rob]

Quote:

Originally Posted by freecartoonporn

rename login.php to somethign else.,

This. Bury that mother fucker deep into some sub-directory. 99% of the time they don't do this shit manually. They search for defaults and go from there. If your login.php is located somewhere else, or you don't even have an admin directory, they'll go somewhere else.

[wehateporn]

[candyflip]

I manage a blog for someone who creates Paleo cookbooks and is a NYT Best Seller. The blog gets about 75-100k visitors on any given day.

I use WordFence and get notifications when people attempt to login. It happens all day long, 24/7.

[anexsia]

I only allow my IP through to wp-login.php and deny everyone else so they can't even see the page let alone attempt to bruteforce.