[wp-hackers] Counting failed logins

Roy Schestowitz r at schestowitz.com
Mon Dec 5 12:53:45 GMT 2005


_____/ On Mon 05 Dec 2005 12:08:52 GMT, [Podz] wrote : \_____

> I'm making an assumption that in order to get access to a blog it has to
> be through wp-login.php and not some passing of a string, but is there a
> way for failed logins to be counted ?
> I can run tools like wwhack against my login page all day and I will get
> no warning that someone is trying to get access. Can this be set to a
> certain number and then something happens - at the very least the blog
> owner getting an email or two ?
>
> P.

This is similar to what Mambo sought at some stage:

http://forum.mamboserver.com/showthread.php?t=14740

Notice  the  other intersting suggestions in this post. In  principle,  it
should not be difficult to implement what you suggest. I am not a PHP pro-
grammer  so I would probably just scan the log file, trimming and counting
all  requests for wp-login.php and then looking for unfamiliar IP address-
es.

In  PHP,  you could probably just retain a file where logins get  appended
(similar  to "last login" in cPanel) and, every once in a while, such file
will be investigated and a warning message sent if it grows too quickly. I
am  aware that this wouldn't reflect on the number of failed attempts pre-
cisely,  as  they would be mixed with successful ones. If you  talk  about
brute-force  tools, however, this will give you rough insight into illicit
activities that revolve near your site.

SSH'ing for root access, even on Windows and Mac workstation, is something
that can get hudreds of attempts per day, but firewalls are often there to
intercept  it.  Maybe restrict wp-login.php to only a few trusted  IP  ad-
dresses, or a certain IP C block? Making it an advanced option perhaps?

Roy



More information about the wp-hackers mailing list