• How to Stop Failed Login Attempts and Fake Free Trial Sign Ups

    Home » Forums » AskWoody support » Windows » Windows 7 » Questions: Windows 7 » How to Stop Failed Login Attempts and Fake Free Trial Sign Ups

    Author
    Topic
    #2454816

    Hi Loungers,

    I have a wordpress.org site on Windows 7.

    Can anyone offer some simple (i.e., not too technical) ways to stop constant Failed Login attempts (formerly called Brute Force attacks) and fake Free Trial signups. Former are identified by free iThemes Sucuri plugin and are failed attempts to login as “admin”. Latter keep showing up as WooComerce Memberships.

    To stop fake signups I just added a ReCAPTCHA plugin (ReCaptcha 4WP) on the sign up form, but a scammer just signed up so it doesn’t seem to be working … or maybe it’s just taking time to take effect?

    I would like to find a free solution, if possible. Also realize this is more a WordPress than a Windows thing, so please tell me if I’m better to go to them. I always come here first because this Lounge has solved my tech issues for years and I trust its members!

    Thanks for any suggestions or redirections!

    Linda

    • This topic was modified 1 week, 1 day ago by IreneLinda.
    Viewing 18 reply threads
    Author
    Replies
    • #2454847

      Try this to hide your admin login. Easy install and works well

      WPS Hide Login
      https://wordpress.org/plugins/wps-hide-login/

      Recaptcha helps but isn’t infallible with an idiot actually sitting at a keyboard πŸ™‚

    • #2455117

      Thanks, cyberSAR … and apologies for not seeing your super fast response until just now. Email notification didn’t come … happens sometimes so I thought I’d check the thread just in case and there you were! πŸ™‚

      Will try out the plugin and post back with results. This morning I had 36 fake signups and over 100 failed logins!

      Linda

    • #2455119

      Quick question, if you can help again …

      I found the setting to change the login URL. After my site name (xxx.com/) it has the word “login” to replace “wp-admin”. Do I change “login” to something else, likely hard to guess? Do I need a dash as in “wp-admin” (suspect not, but want to be sure).

      Thanks again for your advice!

      Linda

    • #2455122

      Hi Linda,

      You just put in a crazy name but something you will remember. I think it has to be lowercase and I’m not sure if special characters or numerals are allowed. Been some time since I set them up.

      Instead ofΒ  https://www.yoursite.com/wp-admin/ you will go to https://www.yoursite.com/whatevercrazynameyouwanthere/

      As far as signups, the sites we do either don’t allow signups or used another script to manage signups and insert data in WordPress database.

      HTH

    • #2455132

      Perfect! Thank you so much, cyberSAR.

      I’ll also try deactivating the plugin I added for the Free Trial sign ups and see if perhaps your hide login plugin stops those as well. Hate having too many plugins in case they affect site speed since it’s now very good.

      Will post back soon once I’ve given the plugin a try!

      Linda

      • #2455143

        Not just speed but incompatibilities with themes and other plugins. Just had to manually disable a gang of plugins for a client because one of them updated and took down the site. He’s got so many I thought it might take all day because I wasn’t familiar with his site. Got lucky and found it in the first 5 πŸ™‚ I’m not a big WP fan but it fits for some of my customers.

    • #2455146

      I think it has to be lowercase and I’m not sure if special characters or numerals are allowed.

      You can use any combination of characters you can type using a “normal” keyboard but, because it’s a “link” to a web site and not Windows, upper & lower case letters are treated as being different.

      For example the URLs

        https://www.yoursite.com/wp-admin/
                      and
        https://www.yoursite.com/Wp-Admin/

      will send you to two completely different locations on the same web site.

      Also, it’s a good idea to only use standard numbers and text for web site URLs because “some” special characters (like &, %, $, @, etc.) have “special functionality” in the HTML code used for web sites that can cause problems if they’re entered in the URL input box of a browser.

      • #2455172

        True but I was referring to the requirements of the plugin. I vaguely remember typing uppercase once and it converts it to lower. Again, been some time since I set them up.

    • #2455170

      Thanks, cyberSAR. Yes, plugins are an issue for us WordPress users. However, for non-techy site admins such as I, it’s a solution, albeit not one without frustrations! I’m crossing my fingers that these plugins don’t cause problems with WP Rocket, which is primarily responsible for the site speed improvements we got. AND I can imagine your relief when you found the problem after only 5 plugins!!

      alejr: Great information and good learning, too! Thanks.

      I ended up using just lower case words which I’ve recorded in a safe place. Although tempted, I refrained from using profanity (aimed at the blasted bots!!). πŸ˜‰

      Linda

    • #2455171

      Although tempted, I refrained from using profanity (aimed at the blasted bots!!)

      Don’t forget, since you are allowing WP registrations and logins, the users will see that when logging in! πŸ™‚

    • #2455176

      Well, sure glad it was just a passing thought, born of frustration! Could have caused a lot of embarrassment down the road.

      It’s only been an hour, but I haven’t had another attack since activating the plugin. Good sign!

    • #2455198

      Update: well, good news so far on the admin login issue. πŸ™‚ Not so good on the Free Trial sign ups.

      I have a WP Forms Lite form with reCaptcha on the page, but the hits just keep on coming. Is there anything else I can try to stop these? At this point, I’m ready to remove the Free Trial sign up and figure out some other way.

      Thanks for any suggestions!

      Linda

    • #2455216

      Oh, great. I’ll check it out … and thank you again, cyberSAR, very much!

      Will let you know how I do.

    • #2455320

      Well, phooey, cyberSAR. Great article, but the WP Form I would need to stop registration spam is $200, not in the budget currently. I just use their free version.

      Thank you, however, for hunting it up for me.

      And, oh no, the site lockouts are pouring in again! I went to the plugin’s support forum and found another person with the same issue: he changed the URL, all was fine for a while then the attacks restarted. He kept changing the URLs daily to stop this. The suggestion was to do close xmlrpc in .htaccess with this code:

      <Files xmlrpc.php>
      Order Allow,Deny
      Deny from all
      </Files>

      I researched WP Beginner article on how to do this, but it seems to me that the code will stop access to our site from everywhere. I can make our IP address an exception, but then can’t access the site from iPhone or iPad ,,, I think.

      This is getting into territory a little deep for me so wanted to check back here before trying anything. I do have Code Snippets plugin so can add the code, just worried it might break things!

      What do you guys think?

      Any thoughts most welcome!

      Linda

      • #2455354

        I always disable xmlrpc along with many other things as my clients don’t need to be editing their site from their phone and have no apps that require it. I just checked a couple that avg ~10K visitors per day and have no lockouts, but again, we don’t allow registrations through wordpress. No lockouts to admin though.

        I use a custom plugin I created as it’s easier to deploy and I do much more than what is shown in the below linked article. If you like I can send or link my plugin with the salient parts which you can upload and activate and deactive as needed for testing.
        https://orbitingweb.com/blog/remove-unnecessary-tags-wp-head/

    • #2455360

      Wow, cyberSAR, you really know what you’re doing technically and you sure have the answers! Your custom plugin addresses loads of items and you’re right: I don’t need all of them. To be honest, I’m not quite sure which ones I DO need!

      Your offer is very generous and I would love to give it a try. Much easier for me to cope with a plugin than with adding code!

      Many, many thanks for ALL you’re doing to help!

      Linda

    • #2455371

      Since we never allow wordpress registrations I’ve never really spent time on that aspect. I just read that the registration page is actually part of the login page. Yuck!

      https://kinsta.com/blog/stop-wordpress-registration-spam/
      The registration page is actually part of the WordPress login page, so you can accomplish this with any plugin that lets you change the WordPress login URL.

      If WP Forms allows you to edit the registration what about creating an additional user field required for registration with an obscure”name” and a required correct answer? Might stop a bunch of bot stuff.

    • #2455388

      Hi again, cyberSAR,

      Two things:

      1. FOUND IT! IGNORE #1. I can’t remember how to access DM … duh! Can you please remind me how to do it. I have used it in the past, but just can’t access it today!
      2. what about creating an additional user field required for registration with an obscure”name” and a required correct answer?

      Sounds like a easy and workable fix, but I’m not sure how to implement it. Poked around in WP Forms registration form, but couldn’t quite see how I would do what you suggest. I attached the page so you could see the fields available to me in case that would help.

      I am starting to feel guilty for taking up so much of your time. Thank you so much for offering so much help and so many suggestions … and for the research you are doing on my behalf!

      Linda

      • #2455395

        No need to feel that way… we are all here sharing our knowledge and trying to help others! I’m certainly no WP guru but when I started getting requests from clients for WP sites I figured I’d learn as much as I could to button them down. I answered your PM with a suggestion to try the plugin first and make sure it doesn’t break your site. It’s strictly security things that I use but it could impact the way you use your site. Then we can go further if need be on your registration form.

        As luck would have it I’m developing a WP site right now for a client πŸ™‚ I absolutely hate the new block garbage even more than the older version but I have been able to get it working with the classic editor and some tweaks to that.

    • #2455404

      Thanks for that … and I sure do learn a lot here! I always hope my struggles will help other Loungers figure out issues they’re having.

      Aha, the infamous block editor. I can imagine how frustrating it is for “real” site developers who code sites because it sure is frustrating for non-coders who had enough challenges with the Classic Editor! Glad you’ve found a way around using it to create the new WordPress site for your customer!

      I noticed is that the “Anyone can register” checkbox is NOT checked in General Settings. Does that have anything to do with this? Or maybe it just means that things could be even worse had I checked that box when I created the site?

      Back with results soon,

      Linda

    • #2455406

      Not sure. I always disable that. Since you are offering a free registration I assume you have a paid one too. Maybe dig around in whatever program you are using for the paid and see if they have any options in there????

      BTW if you want to add styles of your site to the editor let me know and I’ll update your plugin. Some themes have the ability some don’t. It’s not perfect, but my clients seem to like it as the editor looks more like the page than without. Haven’t tried it with the block editor though.

    • #2455513

      Thanks, cyberSAR. I’ll poke around in WooCommerce Memberships, our membership plugin as you suggest.

      I created the site in the block editor and the home page is Elementor. Does this mean we should hold off on adding to the plugin?

      Some mixed news: good – no recent “site lockout notifications”; not so good – more fake free trial registrations. Recaptcha isn’t stopping them. I don’t think fake registrations are part of your plugin. Am I correct?

      Any thoughts?

      Linda, sigh

       

       

       

    • #2455714

      Update

      Well, as of right now it looks as if adding a reCAPTCHA to the My Account page for WooCommerce may have done the trick. Lockouts and fake sign ups are down right now, although I won’t feel confident for another few hours (days?).

      Will post back once I’ve tested it for a few days.

      Huge thanks for all the help and advice throughout this journey!

      Linda

    Viewing 18 reply threads
    Reply To: How to Stop Failed Login Attempts and Fake Free Trial Sign Ups

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: