Join the community today
Register Now

http authentication for WP Login

Discussion in 'Blogs & CMS usage' started by Matt Williams, Dec 15, 2015.

  1. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    11:40 AM
    latest
    10
    Not sure if this is the correct area to place this. If not, feel free to move it to where it should be :=)

    Is there a way to track failed login attempts from the http authentication for WP login? Does this capture the IP and failed usernames/passwords and put somewhere?
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    1:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    check the nginx access and error logs for wp-login.php requests with 401 statuses as well as entries like
    Code:
    no user/password was provided for basic authentication.
    user .* was not found in.
    user .* password mismatch.
    where .* would of been USERNAME matches
     
  3. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    11:40 AM
    latest
    10
    How would I search for that because:
    shows nothing and so does error log..
     
  4. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    1:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    use grep or egrep on choice keywords to the access.log or error.log
     
  5. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    11:40 AM
    latest
    10
    can you give me an example maybe? Someone is accessing my clients WP login without the site owners authorization so I'm trying to figure out how - All messages I send to clients that are password sensitive are sent through Sendinc so I know it's not coming from any messages from WHMCS to the client.
     
  6. eva2000

    eva2000 Administrator Staff Member

    29,027
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    1:40 AM
    Nginx 1.13.x
    MariaDB 5.5
    for status code grep/awk see centminmod.com/nginx.html#accesslog

    and these
    Code:
    grep user /usr/local/nginx/logs/access.log
    grep 'basic authentication' /usr/local/nginx/logs/access.log
    grep password /usr/local/nginx/logs/access.log
    grep 'wp-login.php' /usr/local/nginx/logs/access.log
    grep 'mismatch' /usr/local/nginx/logs/access.log
    
    you should read up on using grep, egrep and awk commands

    any person working with servers in SSH should learn these :)
    There's still plenty of ways for data to be intercepted beyond the email stage, i.e. insecure home or work wifi or public wifi on either or both your end or the clients.

    All my home (thus work) mobile and tablet wifi is over encrypted secure private OpenVPN or L2TP IPSEC based VPN servers and my main work PC has no wifi and only wired connection.

    Also possibility of WP plugin or malware infection at server or database level, of which http basic authentication won't have any usefulness in preventing intruder access.
     
    • Agree Agree x 1
  7. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    11:40 AM
    latest
    10
    Your right, I should lol!

    The logs using the command lines given show nothing. I've scanned the entire site for malware, it's clean including the database.

    I installed the rename wp login plugin. Client didn't want to go down the avenue of allowing only certain IP's via the site.com.conf file. I've blocked the ones that did get through with CSF It's only 2 or 3 failed login attempts using registered usernames but both parties that own that account say they didn't try and login during those times that was captured via Sucuri Plugin.