WordPress VPS site and Failed Logins

sierracircle · 2013-07-10 19:30:19 UTC

A website I manage has been getting occasional reboots.
The website
-uses WordPress and Woocommerce
-is on a VPS

I have been trying various things to try and get the rebooting to stop (checking plugins, upping the RAM limit, PSmanager, etc)

Today at around 11am a reboot happened, and afterwards the site was moving very slowly. On a whim I checked the LoginLockdown plugin , and noticed a constant barrage of failed login attempts.
Checking the database, I can see that this website is currently getting pounded (every 10 seconds) with login attempts. I am guessing this has something to do with the rebooting.

As I mentioned, I have the plugin “login lockdown” installed, and also the 5G BLACKLIST/FIREWALL (2013) in the .htaccess

Anything else I can do to get this bot off the site? It seems to be using some kind of IP spoofing, because the IP changes constantly.
[hr]
from the login Lockdown logs, I see that the bot is attempting to use “admin” almost everytime. I wonder if there is a way to do something if “admin” is attempted?
[hr]
Okay, to answer my own question:

First, I found this website with a tidy explanation and a good solution:

http://www.firsttracksmarketing.com/website-development/how-to-protect-your-wordpress-site-from-brute-force-attacks.html

I followed their instructions at the bottom of the page, but made two alterations
-instead of using “login.php” as the new login page, I used something different. login.php seemed to obvious
-I added an additional line to their functions to send logouts to the proper page; however, this does not seem to properly log the user out, but here is the line I am using:

//logout url fix
add_filter(‘logout_url’,‘fix_logout_url’); function fix_logout_url($link){ return “/ps-login.php?loggedout=true”; }

[hr]
I can confirm that this has stopped the barrage of login-attempts and the VPS Resources are back down.
[hr]

Ipstenu-DH · 2013-07-11 15:24:22 UTC

It would probably be better to change the permissions on wp-login, rather than rename it. The reason I suggest that is that when WP is upgraded, the file will just come back. But if you change permissions on it (or better, use .htaccess to redirect anyone headed there to something like fbi.gov or google), then you won’t get whacked at upgrade time.

That said, there’s a plugin that can do this for you: http://wordpress.org/plugins/sf-move-login/

(I don’t like that he doesn’t let you rename the login folder mind you).

Keep in mind this: yourdomain.com/wp-admin/ will probably still work

sierracircle · 2013-07-11 17:25:47 UTC

Thanks for the advice Ipstenu. That makes sense to use .htaccess rather than renaming. This way upgrades will not affect the setup. I have made the change.

This is what I have added to my .htaccess:
#prevents access to wp-login since we have changed that

order allow,deny
deny from all

Yes, wp-admin link still works (goes to the new login page) which is fine, since the bots seem to go straight for wp-login.php.
I checked this morning and have not had one single failed login attempt (bot attack) since the moment I changed the login page. So it seems to be a good fix.

sierracircle · 2013-07-11 19:23:44 UTC

Just to follow up on this. The code I found works for properly logging out and re-directing to the new logout page is (assuming your logout page is ps-logout.php):
//logout url fix
add_filter(‘logout_url’,‘fix_logout_url’, 10, 2); function fix_logout_url($link){ return str_replace(site_url(‘wp-login.php?action=logout’, ‘logout’),site_url(‘ps-login.php?action=logout’, ‘logout’),$link); }

Everything seems to be working so far.

Ipstenu-DH · 2013-07-12 16:01:21 UTC

That’s good to hear! Keep tabs on the attacks, I bet they’ll shift to wp-admin sooner or later It’s pretty static.

You should also see what happens if you go to domain.com/login (which is by default redirected, same as domain.com/admin)

sierracircle · 2013-07-12 16:57:58 UTC

Frak! There is no stopping these guys. domain.com/login is not redirecting, but domain.com/admin does redirect to my new login page, as does domain.com/wp-admin

I suppose the alternative is to create a custom login page, but not use the default redirects. Each website user would have to be aware of the login page and have it bookmarked.

I will investigate this later today.

sierracircle · 2013-07-29 21:29:50 UTC

I just wanted to follow up on this post one more time. It has been two weeks and since I have implemented the changes (changing the location of the login page for WordPress) there has not been one single failed login for the site.

Just to be sure that failed logins were still being recorded by Login Lockdown plugin, I made three wrong login attempts and they all showed up as failed logins.

Also, the VPS the site in question is running on has not had any more random reboots.

In summary: I think that changing the location of the login page for WordPress is something I will do on any new websites I create. This (at least for the present time) prevents bot login attempts, which can cause over-usage and random reboots on a VPS.

If you are experiencing random reboots on your VPS-hosted WordPress site from sudden spikes in memory, I highly recommend installing the Login Lockdown plugin to determine if you are getting loads of unwanted login attempts, and then changing the location of your login page using the instructions in this thread.