[Durham] WordPress failed login mystery

Dougie Nisbet dougie at katsura.uk
Sat Mar 21 20:12:33 UTC 2020 

Here's a  puzzle. The background:

I did a fresh install of Debian Buster on my virtual machine hosted by 
Mythic Beasts. I moved my ancient WordPress install of their sphinx 
server because its PHP install is so old and I felt it was unsafe. I 
couldn't upgrade WordPress.

On my VM I installed fail2ban and saw the usual suspects. In WordPress I 
saw tons of failed login attempts on my username 'dougie'. These were 
initially quite confusing because my VM is proxied via Mythic Beasts DNS 
and all the addresses, at least for https traffic I guess, appears to 
come from Mythic's IP range. But that aside, I installed a new user on 
my WordPress install with no history, and *immediately* there were tons 
of brute-force attacks on the new user. This was a little unsettling.

Mythic Support suggested (and they turned out to be correct) looking at 
xmlrpc.php and with the help of a plugin or two I established that it 
was indeed 'attack vector' for all the failed login attempts. 
Interesting Mythic couldn't see how the new user name was being 
extracted but clearly it was a vulnerability. I modified the .htaccess 
file (as outlined in 
https://www.hostinger.com/tutorials/xmlrpc-wordpress) and the problem 
stopped.

I installed wordfence, remembered I wasn't keen on it, and de-activated 
it and installed the All In One (free) security plugin.

One of the options it has is for renaming the wp-admin landing page for 
logins. I let it do that, then discovered it made the changes in the 
database, and not in the filesystem, and I wasn't keen on that. So I 
reversed that, and instead put a .htaccess file in my wp-admin directory 
as a second basic level of security. It's only me logging in after all.

Which brings me to the mystery. As I understand it, any attempts to 
login must go via the wp-admin directory. But, in WordPress (using the 
Simple History plugin), I am seeing *ocassional* failed login attempts. 
Once every now and then. I'm puzzled that I'm seeing any attempts at all.

Have a go. Try logging in at www.katsura.uk/wp-admin and you should see 
the authentication screen from my .htaccess file.

So my thoughts are, 1. There's another way in, or 2. This might be 
WordPress itself, via one of its cron jobs running something periodically.

Either way I'm puzzled. Puzzled I tell ya.

Any thoughts?

Dougie



Anonymous user from 46.235.225.0 7:55 pm (less than a minute ago)
Failed to login with username "dougie" (incorrect password entered) warning
Showing 34 more

     Anonymous user from 93.93.129.0 7:36 pm (19 minutes ago)
     Failed to login with username "dougie" (incorrect password entered) 
warning
     Anonymous user from 46.235.225.0 6:58 pm (about an hour ago)
     Failed to login with username "dougie" (incorrect password entered) 
warning
     Anonymous user from 46.235.225.0 6:40 pm (about an hour ago)
     Failed to login with username "dougie" (incorrect password entered) 
warning
     Anonymous user from 46.235.225.0 6:22 pm (about 2 hours ago)
     Failed to login with username "dougie" (incorrect password entered) 
warning

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/durham/attachments/20200321/64d6f185/attachment.html>

More information about the Durham mailing list