Could These Failed Login Attempts Be Fake?

So you just launched your website and installed Limit Login Attempts Reloaded and almost immediately, you are bombarded with failed login attempts. How can this be, since nobody knows about your website yet? How did the brute force bots find out so fast?

First off, it’s important to understand that hackers will find more success targeting new website owners as opposed to existing ones. New website owners often use weak passwords, and are not proactive when it comes to web security best practices. This is why so many hosting companies install Limit Login Attempts Reloaded as a default plugin, because it provides protection right out of the box. 

New WordPress Installs

It’s often we have users reach out to us because their website is receiving brute force attacks and they are not even live! How do hackers know about your website this early?

  • Shared IP Addresses: Most websites are hosted on a shared IP address. What this means is that your website and several others share the same space on a server, and it’s likely that those sites are experiencing brute force attacks already. When a new site is created on a shared IP address, the brute force bots can immediately detect and start attacking. 
  • New Domain name: When a new domain is created, it is logged in the WHOIS database, which is accessible to the public. It’s often that hackers will crawl this database for new targets. 
  • New IP Addresses:  There’s no such thing anymore as “New IPs”. Most IP addresses have been used and reused many times. When an IP address becomes active again, it’s automatically added to the brute force script to attack.

My Google Analytics Report Doesn’t Show Any Visitors

Your analytics report doesn’t show any visitors so how are there hundreds of failed login attempts each day?

Google Analytics does not show bot and spider traffic on your traffic reports! According to their documents, you are unable to view or enable tracking of these stats. The reality is that there could be a significant amount of bot traffic on your website at any given time, especially if you are using shared hosting that is already being targeted by brute force bots. You need to analyze your raw web logs. They will contain all requests to your web server. Contact your web hosting provider to find out how to get them.

Failed Login Attempts Immediately After Installing The Plugin

Some users feel that it’s ironic that they are getting attacked as soon as they install the plugin. It’s often to hear that it’s a “ploy” to get them signed up to our premium service. The reality is that there have likely been failed login attempts prior to installing the plugin, but they are just becoming apparent.

Failed Login Attempts After Blocking an IP Address

It’s common to see blocked IPs making login attempts. They are not a threat, and will fail. To stop a malicious login attempt completely, you would need to filter all traffic that goes to your website before it hits your WordPress installation. This is only possible when you use an extra level of software called “reverse proxy”.

With reverse proxy, all requests to your site including login attempts first hit that proxy, and if the proxy is smart enough, it will deny the bad requests and allow the good ones. Then the good requests will hit your website.

To learn more about reverse proxies, we recommend checking out this article 

Failed Login Attempts From Localhost

In some cases, the localhost is not detecting IP addresses properly. In such a case, have your hosting administrator fix the server settings.  

Server Misconfiguration or Conflicting Plugins

In rare cases, a website can receive false attacks due to another plugin conflict or settings on your server. Reach out to your hosting administrator if this is the case. 

Htaccess rules are not working or helping

Some web hosting environments provide a way to make changes to your htaccess file. This file allows to overwrite or extent web server settings. Most users don’t know how to use this file properly and it does require some solid understanding of how the syntax used in that file works. If you are having difficulties specifically with htaccess rules we would need to see the contents of your htaccess file and know which login pages you are using besides the main ones, which are: wp-login.php and xmplrpc.php.

Our free or premium plugin doesn’t use htaccess to block IPs. We make it impossible for the attacker to successfully log in after their login attempt has been determined dangerous by our system.
The free plugin stores IP information in the site’s DB and the premium in our cloud. Premium version allows sharing those IPs (in addition to a lot of other features) with other users on the network and your own multiple accounts.

If you still have questions about fictitious login attempts on your server, you may ask a question in our free support forum. If you are a premium customer, you can email us directly.