2

When I check my nginx access.log there are requests (GET request followed by POST) every two minutes on /wp-login.php.

Then I log those POST requests (changing login page to empty page and save POST requests to file). The request contains login credentials, with correct username and wrong password. Those requests didn't stop even the response is empty page (may be a script).

Then, I deny that ip address on nginx config. In the next day, the same happens with different IP (but same country).

What bugging me is how that client knows my admin username? Is it common for wordpress site to be like that? Because it's my first time to have wordpress write on real server.

Mas Bagol
  • 123
  • 5
  • 1
    Yes it's common. Just a botnet trying to break into every wordpress instance it can find. – Gerald Schneider Jan 02 '17 at 11:16
  • Well, you are propably using that admin username to create pages on the wordpress site - it is then quite easy to get the name of a user on the wordpressinstallation. Many do use "wordfence" to block thoose IP addresses in .htaccess. – Orphans Jan 02 '17 at 11:21
  • Do I need to block those IP addresses? Because those changed anyway – Mas Bagol Jan 02 '17 at 11:26
  • fail2ban addon could help maybe – yagmoth555 Jan 02 '17 at 13:01
  • Create a new admin user with a different name "eg adminforexamplecom" that never posts anything publicly. Try the "Remove Author Pages" plugin as well. You can put the server behind CloudFlare, which can stop some attacks, but you'd need a firewall so that only CloudFlare and you own IPs can directly hit the server. – Tim Jan 02 '17 at 18:42
  • Here is a solution I'm trying to develop https://serverfault.com/questions/885863/stop-http-post-requests-with-nginx-before-hitting-wordpress-application-log-in-p – i_a Nov 29 '17 at 21:58

1 Answers1

2

As those in the comments have stated, it is common. Likely those ips originate from the Western countries. Most of these insophisticated brute force attacks can be credited to bots or a botnet simply automated for trying known user names like admin, root, guest and their counterpart passwords.

A few methods you can implement to protect yourself is using fail2ban and configuring it to filter http traffic. Use ipset to blacklist those ips. It can always help if you report those ips to abuseipdb to let others know of misdoings. Htaccess and htpasswd are good files to keep unwanted visitors from certain files/ directories. And if you feel like you want more protection, you can sign up for cloudflare. And as you are doing right now, Always keep an eye on those access logs.

JShade01
  • 136
  • 2