What does it mean when there are many POST requests to /wp-login.php in Apache logs?

15

3

The messages are directed toward the WordPress site on my server. These are coming from the access_log, and I don't know if this should worry me or not.

There are well over a hundred lines of the same message spanning over a few seconds each time. If you don't know what I mean, here are the logs:

108.162.216.73 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"

I just did a count for all instances for these two IP addresses, and it was accessed at least over 100,000 different times, since the 22nd.

travis

Posted 2014-10-26T19:18:07.570

Reputation: 153

Answers

30

Someone is trying to brute-force your login page. HTTP POST requests are used for HTML form data, which in the case of a wp-login.php page will likely be the username/password form.

For WordPress specifically, you should read this wiki page, which mentions a number of useful steps to take and protect your instance, such as:

  • not using the admin username
  • picking a strong password
  • using plugins to restrict login attempts at WordPress, Apache or server level
  • htpasswd-protecting the page (with the help of a generator)

In any case, setting up fail2ban is something you should definitely consider. It will restrict the number of times a certain IP may try to log into your machine (e.g. over FTP, SSH, etc.).

slhck

Posted 2014-10-26T19:18:07.570

Reputation: 182 472

I attempted to setup fail2ban but it then made it impossible to access my server. Was able to use safe reboot, but wasn't able to remove it or anything. I googled my issue, and I found that others that were on Centos 7 were having the same problem. Luckily for me, I had nothing on the server so I just reinstalled the OS which took a few min. – travis – 2014-10-26T19:56:31.207

2Ah, that's unfortunate. I haven't had issues with it on my CentOS server. Normally it shouldn't interfere so much. – slhck – 2014-10-26T19:58:43.500

Another thing worth considering is PeerGuardian. – paradroid – 2014-10-27T01:49:48.727

2@travis That's something to be expected when you have password based SSH logins.. You should consider using SSH keys for authentication and disabling the SSH password based login entirely, and it's probably also a good idea to change the default SSH port on your server – Winter – 2014-10-27T03:34:15.600

@Winter +1 for the first part, but changing the SSH port won't really help. It just delays, but if someone really wants to enter the server, it is no real burden. – glglgl – 2014-10-27T07:45:59.880

1@glglgl It's a deterrent. It stops someone from going "I wonder if this is insecure..." - won't stop a directed attack, but will stop a casual hacker. "Somewhere else is easier." – None – 2014-10-27T16:09:37.397

2

It looks like brute force hacking attempts to get into the admin console of the WordPress site. I get these all the time on my WordPress sites. If you had a user called admin with the password 'pass', they would certainly have got in by now.

Install a security plugin that will block IP addresses after a certain number of login attempts. I use Wordfence.

paradroid

Posted 2014-10-26T19:18:07.570

Reputation: 20 970

4Those IP addresses seem to be coming from CloudFlare CDN servers in San Francisco and Japan, which is a bit weird. – paradroid – 2014-10-26T19:41:54.803

I'd expect that means the site is behind CloudFlare. There's probably an X-Forwarded-For header something like mod_rpaf could use, but it's not set up to – ceejayoz – 2014-10-27T13:00:01.463

@ceejayoz I'm not sure what you mean. As wp-login.php is not a static file, it will not be on the CDN anyway. I don't understand why these incoming connections seem to be coming from CloudFlare CDN servers. Perhaps CloudFlare also does server hosting? – paradroid – 2014-10-27T18:38:33.070

You can (and usually do) point your entire domain at CloudFlare. That means incoming requests - GET and POST, dynamic or static - go through CloudFlare first, and thus would have their IPs. – ceejayoz – 2014-10-27T19:42:13.893

Asked: 2014-10-26T19:18:07.570

Viewed: 4 319 times

Active: 2014-12-29T15:14:58.173