Blog > Cyber Security / Guides > Fake Login Attempts In WordPress: What Are They?

Fake Login Attempts In WordPress: What Are They?

Discover the difference between fake and legitimate login attempts on your WordPress website.

| November 4, 2022 | 7 Min Read

So you just launched your WordPress website and installed a brute force protection plugin such as Limit Login Attempts Reloaded, and almost immediately, you are bombarded with failed login attempts. How can this be since nobody knows about your website yet? How did the brute force bots find out so fast? Are these login attempts fake? In this article, we'll not only better understand what a fake login attempt is, but how easily your WordPress website can be discovered by hackers.

What Is A Fake Login Attempt?

To begin with, let's establish the concept of a "fake" login attempt. Such an attempt occurs when an individual or program attempts to login to your website with the purpose of creating the illusion that a genuine login is being pursued, aiming to prompt the site owner to take specific actions. These actions may include purchasing unnecessary software or making alterations to the website that could potentially compromise other aspects of its functionality. It's important to note that a fake login attempt differs from brute force attacks, where the intention is to maliciously break into the website with the goal of causing harm.

How Can I Check If A Login Attempt Is Fake?

Some users feel that it’s impossible to receive so many failed login attempts, especially since they’re site was just created or they are a small business with little traffic. While we can't promise that all security plugins are ethical, it's very unlikely they would generate fake login attempts to sell premium services. Plugins must follow strict guidelines to be able to participate in the WordPress plugin repository and wouldn't risk losing this.

There are times when you’ll have friendly programs or even human users that will be the cause of failed login attempt notifications. An easy way to check if the attack isn't fake is to copy the IP address from the lockout notification or IP logs, and look up the IP. Enter in the IP address to see if you recognize the location.

If It Isn't Fake, How Is My Website Being Found?

While your website may be subjected to random targeting, the root cause of its discovery likely lies in its source. In this segment, we'll explore various methods through which hackers can locate your website. Here are 6 common ways brute force bots can find your website.

#1 - New WordPress Installs

  • Shared IP Addresses: The majority of websites are hosted on a shared IP address. This implies that your website, along with several others, occupies the same server space. It's probable that those sites are already encountering brute force attacks. When a new site is established on a shared IP address, brute force bots can promptly identify it and initiate attacks.
  • New Domain name: Upon the creation of a new domain, its information is recorded in the WHOIS database, which is openly accessible to the public. Frequently, hackers will scan this database to identify new targets.
  • New IP Addresses:  The concept of "New IPs" no longer exists. The majority of IPV4 addresses have been utilized and recycled multiple times. When an IP address becomes active once more, it is automatically included in the brute force script for potential attacks.

#2 - My Google Analytics Report Doesn't Show Any Visitors

Despite your analytics report indicating no visitors, why are there hundreds of failed login attempts daily?

Google Analytics doesn't display bot and spider traffic in your traffic reports. According to their documentation, tracking or viewing these statistics is not possible. The truth is, there might be a substantial volume of bot traffic on your website at any given moment, particularly if you're using shared hosting that's already under attack by brute force bots. To gain insight, analyze your raw web logs, which encompass all requests to your web server. Contact your web hosting provider to learn how to obtain them.

Success Stories

Hundreds of Agencies Across The World Use LLAR

#3 - Failed Login Attempts Immediately After Installing A Security Plugin

Certain users find it ironic that they face attacks immediately after installing the plugin. There is a perception that it might be a "ploy" to encourage them to pay for added protection. In reality, there probably were failed login attempts before installing the plugin, but they are only now becoming apparent.

#4 - Failed Login Attempts From Localhost

In certain instances, the localhost may fail to detect IP addresses accurately. If this occurs, it is advisable to request your hosting administrator to address and correct the server settings.

#5 - Server Misconfiguration or Conflicting Plugins

In rare cases, a website can receive false attacks due to another plugin conflict or settings on your server. Reach out to your hosting administrator if this is the case. 

#6 - htaccess rules are not working or helping

Certain web hosting environments offer the capability to modify your htaccess file. However, many users lack proper knowledge of how to use this file, as it requires a solid understanding of the syntax employed. If you encounter challenges, especially with htaccess rules, we would require access to the contents of your htaccess file. Additionally, it's essential to know which login pages you are using, aside from the main ones, namely: wp-login.php and xmplrpc.php.


In summary, the experience of launching a WordPress website and promptly facing a barrage of failed login attempts, even when the site is relatively unknown, can be confusing. We shed light on the distinction between fake login attempts, driven by deceptive intentions, and brute force attacks, which aim to infiltrate websites for malicious purposes. It emphasizes the importance of scrutinizing login attempts and provides a practical tip to verify the authenticity of these attacks by checking the IP address against recognizable locations. While acknowledging the potential skepticism, reputable security plugins adhere to strict guidelines and wouldn't jeopardize their integrity for the sake of selling premium services.

Frequently Asked Questions

What distinguishes fake login attempts from brute force attacks in WordPress security?

Distinguishing between fake login attempts and brute force attacks lies in their intent. Fake login attempts are crafted to deceive and create the illusion of genuine login pursuits, while brute force attacks are authentic and designed with the clear intention to infiltrate and cause harm.

How can I determine if a login attempt is not fake and poses a genuine security threat?

A straightforward method to verify the authenticity of the attack is to copy the IP address from the lockout notification or IP logs and perform an IP lookup.

Why am I experiencing numerous failed login attempts on my newly launched WordPress website?

There are many reasons why you could experience failed login attempts on your newly launched WordPress website. The most common reasons are shared hosting, public domain databases, and new server IPs.

About the Author

Greg Fisher is the CMO and co-founder of Limit Login Attempts Reloaded, spearheading the company’s content and user acquisition.