How to Stop Failed Login Attempts and Fake Free Trial Sign Ups

Topic

New Reply

[IreneLinda]

Hi Loungers,

I have a wordpress.org site on Windows 7.

Can anyone offer some simple (i.e., not too technical) ways to stop constant Failed Login attempts (formerly called Brute Force attacks) and fake Free Trial signups. Former are identified by free iThemes Sucuri plugin and are failed attempts to login as “admin”. Latter keep showing up as WooComerce Memberships.

To stop fake signups I just added a ReCAPTCHA plugin (ReCaptcha 4WP) on the sign up form, but a scammer just signed up so it doesn’t seem to be working … or maybe it’s just taking time to take effect?

I would like to find a free solution, if possible. Also realize this is more a WordPress than a Windows thing, so please tell me if I’m better to go to them. I always come here first because this Lounge has solved my tech issues for years and I trust its members!

Thanks for any suggestions or redirections!

Linda

• This topic was modified 11 months, 2 weeks ago by IreneLinda.

Reply | Quote

Hi Loungers,

I have a wordpress.org site on Windows 7.

Can anyone offer some simple (i.e., not too technical) ways to stop constant Failed Login attempts (formerly called Brute Force attacks) and fake Free Trial signups. Former are identified by free iThemes Sucuri plugin and are failed attempts to login as “admin”. Latter keep showing up as WooComerce Memberships.

To stop fake signups I just added a ReCAPTCHA plugin (ReCaptcha 4WP) on the sign up form, but a scammer just signed up so it doesn’t seem to be working … or maybe it’s just taking time to take effect?

I would like to find a free solution, if possible. Also realize this is more a WordPress than a Windows thing, so please tell me if I’m better to go to them. I always come here first because this Lounge has solved my tech issues for years and I trust its members!

Thanks for any suggestions or redirections!

Linda

Replies

Try this to hide your admin login. Easy install and works well

WPS Hide Login
https://wordpress.org/plugins/wps-hide-login/

Recaptcha helps but isn’t infallible with an idiot actually sitting at a keyboard 🙂

Never Say Never

Reply | Quote

Thanks, cyberSAR … and apologies for not seeing your super fast response until just now. Email notification didn’t come … happens sometimes so I thought I’d check the thread just in case and there you were! 🙂

Will try out the plugin and post back with results. This morning I had 36 fake signups and over 100 failed logins!

Linda

Reply | Quote

Quick question, if you can help again …

I found the setting to change the login URL. After my site name (xxx.com/) it has the word “login” to replace “wp-admin”. Do I change “login” to something else, likely hard to guess? Do I need a dash as in “wp-admin” (suspect not, but want to be sure).

Thanks again for your advice!

Linda

Reply | Quote

Hi Linda,

You just put in a crazy name but something you will remember. I think it has to be lowercase and I’m not sure if special characters or numerals are allowed. Been some time since I set them up.

Instead of  https://www.yoursite.com/wp-admin/ you will go to https://www.yoursite.com/whatevercrazynameyouwanthere/

As far as signups, the sites we do either don’t allow signups or used another script to manage signups and insert data in WordPress database.

HTH

Never Say Never

Reply | Quote

Perfect! Thank you so much, cyberSAR.

I’ll also try deactivating the plugin I added for the Free Trial sign ups and see if perhaps your hide login plugin stops those as well. Hate having too many plugins in case they affect site speed since it’s now very good.

Will post back soon once I’ve given the plugin a try!

Linda

Reply | Quote

Not just speed but incompatibilities with themes and other plugins. Just had to manually disable a gang of plugins for a client because one of them updated and took down the site. He’s got so many I thought it might take all day because I wasn’t familiar with his site. Got lucky and found it in the first 5 🙂 I’m not a big WP fan but it fits for some of my customers.

Never Say Never

Reply | Quote

cyberSAR wrote:

I think it has to be lowercase and I’m not sure if special characters or numerals are allowed.

You can use any combination of characters you can type using a “normal” keyboard but, because it’s a “link” to a web site and not Windows, upper & lower case letters are treated as being different.

For example the URLs

https://www.yoursite.com/wp-admin/
              and
https://www.yoursite.com/Wp-Admin/

will send you to two completely different locations on the same web site.

Also, it’s a good idea to only use standard numbers and text for web site URLs because “some” special characters (like &, %, $, @, etc.) have “special functionality” in the HTML code used for web sites that can cause problems if they’re entered in the URL input box of a browser.

Reply | Quote

True but I was referring to the requirements of the plugin. I vaguely remember typing uppercase once and it converts it to lower. Again, been some time since I set them up.

Never Say Never

Reply | Quote

Thanks, cyberSAR. Yes, plugins are an issue for us WordPress users. However, for non-techy site admins such as I, it’s a solution, albeit not one without frustrations! I’m crossing my fingers that these plugins don’t cause problems with WP Rocket, which is primarily responsible for the site speed improvements we got. AND I can imagine your relief when you found the problem after only 5 plugins!!

alejr: Great information and good learning, too! Thanks.

I ended up using just lower case words which I’ve recorded in a safe place. Although tempted, I refrained from using profanity (aimed at the blasted bots!!). 😉

Linda

Reply | Quote

Although tempted, I refrained from using profanity (aimed at the blasted bots!!)

Don’t forget, since you are allowing WP registrations and logins, the users will see that when logging in! 🙂

Never Say Never

Reply | Quote

Well, sure glad it was just a passing thought, born of frustration! Could have caused a lot of embarrassment down the road.

It’s only been an hour, but I haven’t had another attack since activating the plugin. Good sign!

Reply | Quote

Update: well, good news so far on the admin login issue. 🙂 Not so good on the Free Trial sign ups.

I have a WP Forms Lite form with reCaptcha on the page, but the hits just keep on coming. Is there anything else I can try to stop these? At this point, I’m ready to remove the Free Trial sign up and figure out some other way.

Thanks for any suggestions!

Linda

Reply | Quote

Yes the hide login doesn’t work on registration. I’m not familiar with WP Forms but you may want to browse this page speaking about stopping spam using that plugin.  https://www.wpbeginner.com/plugins/how-to-stop-spam-registrations-on-your-wordpress-membership-site/

Never Say Never

Reply | Quote

Oh, great. I’ll check it out … and thank you again, cyberSAR, very much!

Will let you know how I do.

Reply | Quote

Well, phooey, cyberSAR. Great article, but the WP Form I would need to stop registration spam is $200, not in the budget currently. I just use their free version.

Thank you, however, for hunting it up for me.

And, oh no, the site lockouts are pouring in again! I went to the plugin’s support forum and found another person with the same issue: he changed the URL, all was fine for a while then the attacks restarted. He kept changing the URLs daily to stop this. The suggestion was to do close xmlrpc in .htaccess with this code:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

I researched WP Beginner article on how to do this, but it seems to me that the code will stop access to our site from everywhere. I can make our IP address an exception, but then can’t access the site from iPhone or iPad ,,, I think.

This is getting into territory a little deep for me so wanted to check back here before trying anything. I do have Code Snippets plugin so can add the code, just worried it might break things!

What do you guys think?

Any thoughts most welcome!

Linda

Reply | Quote

I always disable xmlrpc along with many other things as my clients don’t need to be editing their site from their phone and have no apps that require it. I just checked a couple that avg ~10K visitors per day and have no lockouts, but again, we don’t allow registrations through wordpress. No lockouts to admin though.

I use a custom plugin I created as it’s easier to deploy and I do much more than what is shown in the below linked article. If you like I can send or link my plugin with the salient parts which you can upload and activate and deactive as needed for testing.
https://orbitingweb.com/blog/remove-unnecessary-tags-wp-head/

Never Say Never

Reply | Quote

Wow, cyberSAR, you really know what you’re doing technically and you sure have the answers! Your custom plugin addresses loads of items and you’re right: I don’t need all of them. To be honest, I’m not quite sure which ones I DO need!

Your offer is very generous and I would love to give it a try. Much easier for me to cope with a plugin than with adding code!

Many, many thanks for ALL you’re doing to help!

Linda

Reply | Quote

Linda, Check your PM. Let me know how it works out.

Never Say Never

Reply | Quote

Since we never allow wordpress registrations I’ve never really spent time on that aspect. I just read that the registration page is actually part of the login page. Yuck!

https://kinsta.com/blog/stop-wordpress-registration-spam/
The registration page is actually part of the WordPress login page, so you can accomplish this with any plugin that lets you change the WordPress login URL.

If WP Forms allows you to edit the registration what about creating an additional user field required for registration with an obscure”name” and a required correct answer? Might stop a bunch of bot stuff.

Never Say Never

Reply | Quote

Hi again, cyberSAR,

Two things:

1. FOUND IT! IGNORE #1. I can’t remember how to access DM … duh! Can you please remind me how to do it. I have used it in the past, but just can’t access it today!

2. what about creating an additional user field required for registration with an obscure”name” and a required correct answer?

Sounds like a easy and workable fix, but I’m not sure how to implement it. Poked around in WP Forms registration form, but couldn’t quite see how I would do what you suggest. I attached the page so you could see the fields available to me in case that would help.

I am starting to feel guilty for taking up so much of your time. Thank you so much for offering so much help and so many suggestions … and for the research you are doing on my behalf!

Linda

Reply | Quote

No need to feel that way… we are all here sharing our knowledge and trying to help others! I’m certainly no WP guru but when I started getting requests from clients for WP sites I figured I’d learn as much as I could to button them down. I answered your PM with a suggestion to try the plugin first and make sure it doesn’t break your site. It’s strictly security things that I use but it could impact the way you use your site. Then we can go further if need be on your registration form.

As luck would have it I’m developing a WP site right now for a client 🙂 I absolutely hate the new block garbage even more than the older version but I have been able to get it working with the classic editor and some tweaks to that.

Never Say Never

Reply | Quote

Thanks for that … and I sure do learn a lot here! I always hope my struggles will help other Loungers figure out issues they’re having.

Aha, the infamous block editor. I can imagine how frustrating it is for “real” site developers who code sites because it sure is frustrating for non-coders who had enough challenges with the Classic Editor! Glad you’ve found a way around using it to create the new WordPress site for your customer!

I noticed is that the “Anyone can register” checkbox is NOT checked in General Settings. Does that have anything to do with this? Or maybe it just means that things could be even worse had I checked that box when I created the site?

Back with results soon,

Linda

Reply | Quote

Not sure. I always disable that. Since you are offering a free registration I assume you have a paid one too. Maybe dig around in whatever program you are using for the paid and see if they have any options in there????

BTW if you want to add styles of your site to the editor let me know and I’ll update your plugin. Some themes have the ability some don’t. It’s not perfect, but my clients seem to like it as the editor looks more like the page than without. Haven’t tried it with the block editor though.

Never Say Never

Reply | Quote

Thanks, cyberSAR. I’ll poke around in WooCommerce Memberships, our membership plugin as you suggest.

I created the site in the block editor and the home page is Elementor. Does this mean we should hold off on adding to the plugin?

Some mixed news: good – no recent “site lockout notifications”; not so good – more fake free trial registrations. Recaptcha isn’t stopping them. I don’t think fake registrations are part of your plugin. Am I correct?

Any thoughts?

Linda, sigh

 

 

 

Reply | Quote

No plugin doesn’t do anything regarding registration. The stuff in it has nothing to do with the editor I removed that part.

Saw quite a few posts complaining of spam with wpforms lite.
https://wordpress.org/support/topic/mountain-of-spam-in-wpforms/

Make sure the honeypot is enabled as per
https://wordpress.org/support/topic/does-wpforms-lite-still-include-honeypot/

You may want to check out this page for some ideas. Esp the email confirmation but it’s not free.
https://profilepress.net/stop-spam-user-registration-wordpress/

Never Say Never

Reply | Quote

Update

Well, as of right now it looks as if adding a reCAPTCHA to the My Account page for WooCommerce may have done the trick. Lockouts and fake sign ups are down right now, although I won’t feel confident for another few hours (days?).

Will post back once I’ve tested it for a few days.

Huge thanks for all the help and advice throughout this journey!

Linda

Reply | Quote

My update: sorry to be late with this but it’s all good news. Putting the reCaptcha on the Account page seems to have done the trick. I was focusing so much on the free trial sign up form, which had one, I didn’t even think about the sign up on the Account page in WooCommerce! Once I added it there, the fake sign ups have stopped. Hope this helps someone else. And thanks once again for all the help all you Loungers offered me throughout this “journey of discovery”!!

Reply | Quote