Could These Failed Login Attempts Be Fake?

So you just launched your website and installed Limit Login Attempts Reloaded. And almost immediately, you are bombarded with failed login attempts. How can this be? Since nobody knows about your website yet, how did the brute force bots find out so fast?

First off, it’s important to understand that hackers will find more success targeting new website owners opposed to existing ones. New website owners often use weak passwords, and are not proactive when it comes to web security best practices. This is why so many hosting companies install Limit Login Attempts Reloaded as a default plugin because it provides protection right out of the box. 

New WordPress Installs

It’s often we have users reach out to us because their website is receiving brute force attacks and they are not even live! How do hackers know about your website this early?

  • Shared IP Addresses: Most websites are hosted on a shared IP address. What this means is that your website and several others share the same space on a server, and it’s likely that those sites are experiencing brute force attacks already. When a new site is created on a shared IP address, the brute force bots can immediately detect and start attacking. 
  • New Domain name: When a new domain is created, it is logged in the WHOIS database, which is accessible to the public. It’s often that hackers will crawl this database for new targets. 
  • New IP Addresses:  There’s no such thing anymore as “New IPs”. Most IP addresses have been used and reused many times. When an IP address becomes active again, it’s automatically added to the brute force script to attack.

Failed Login Attempts Immediately After Installing The Plugin

Some users feel that it’s ironic that they are getting attacked as soon as they install the plugin. It’s often to hear that it’s a „ploy“ to get them signed up to our premium service. The reality is that there has likely been failed login attempts prior to installing the plugin, but they are just becoming apparent.

Failed Login Attempts After Blocking an IP Address

It’s common to see blocked IP’s making login attempts. They are not a threat, and will fail. To stop a malicious login attempt completely, you would need to filter all traffic that goes to your website before it hits your WordPress installation. This is only possible when you use an extra level of software called “reverse proxy”.

With reverse proxy, all requests to your site including login attempts first hit that proxy, and if the proxy is smart enough, it will deny the bad requests and allow the good ones. Then the good requests will hit your website.

To learn more about reverse proxies, we recommend checking out this article 

Failed Login Attempts From Localhost

In some cases, the localhost is not detecting IP addresses properly. In such a case, have your hosting administrator fix the server settings.  

Server Misconfiguration or Conflicting Plugins

In rare cases, a website can receive false attacks due to another plugin conflict or settings on your server. Reach out to your hosting administrator if this is the case. 

If you still have questions about fictitious login attempts on your server, you may ask a question in our free support forum. If you are a premium customer, you can email us directly.