<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Here's a puzzle. The background:</p>
<p>I did a fresh install of Debian Buster on my virtual machine
hosted by Mythic Beasts. I moved my ancient WordPress install of
their sphinx server because its PHP install is so old and I felt
it was unsafe. I couldn't upgrade WordPress.</p>
<p>On my VM I installed fail2ban and saw the usual suspects. In
WordPress I saw tons of failed login attempts on my username
'dougie'. These were initially quite confusing because my VM is
proxied via Mythic Beasts DNS and all the addresses, at least for
https traffic I guess, appears to come from Mythic's IP range. But
that aside, I installed a new user on my WordPress install with no
history, and *immediately* there were tons of brute-force attacks
on the new user. This was a little unsettling. <br>
</p>
<p>Mythic Support suggested (and they turned out to be correct)
looking at xmlrpc.php and with the help of a plugin or two I
established that it was indeed 'attack vector' for all the failed
login attempts. Interesting Mythic couldn't see how the new user
name was being extracted but clearly it was a vulnerability. I
modified the .htaccess file (as outlined in
<a class="moz-txt-link-freetext" href="https://www.hostinger.com/tutorials/xmlrpc-wordpress">https://www.hostinger.com/tutorials/xmlrpc-wordpress</a>) and the
problem stopped.</p>
<p>I installed wordfence, remembered I wasn't keen on it, and
de-activated it and installed the All In One (free) security
plugin. <br>
</p>
<p>One of the options it has is for renaming the wp-admin landing
page for logins. I let it do that, then discovered it made the
changes in the database, and not in the filesystem, and I wasn't
keen on that. So I reversed that, and instead put a .htaccess file
in my wp-admin directory as a second basic level of security. It's
only me logging in after all.</p>
<p>Which brings me to the mystery. As I understand it, any attempts
to login must go via the wp-admin directory. But, in WordPress
(using the Simple History plugin), I am seeing *ocassional* failed
login attempts. Once every now and then. I'm puzzled that I'm
seeing any attempts at all.</p>
<p>Have a go. Try logging in at <a class="moz-txt-link-abbreviated" href="http://www.katsura.uk/wp-admin">www.katsura.uk/wp-admin</a> and you
should see the authentication screen from my .htaccess file.</p>
<p>So my thoughts are, 1. There's another way in, or 2. This might
be WordPress itself, via one of its cron jobs running something
periodically.</p>
<p>Either way I'm puzzled. Puzzled I tell ya.</p>
<p>Any thoughts?</p>
<p>Dougie<br>
</p>
<p><br>
</p>
<p><br>
Anonymous user from 46.235.225.0 7:55 pm (less than a minute ago)<br>
Failed to login with username "dougie" (incorrect password
entered) warning<br>
Showing 34 more<br>
<br>
Anonymous user from 93.93.129.0 7:36 pm (19 minutes ago)<br>
Failed to login with username "dougie" (incorrect password
entered) warning<br>
Anonymous user from 46.235.225.0 6:58 pm (about an hour ago)<br>
Failed to login with username "dougie" (incorrect password
entered) warning<br>
Anonymous user from 46.235.225.0 6:40 pm (about an hour ago)<br>
Failed to login with username "dougie" (incorrect password
entered) warning<br>
Anonymous user from 46.235.225.0 6:22 pm (about 2 hours ago)<br>
Failed to login with username "dougie" (incorrect password
entered) warning<br>
</p>
</body>
</html>