/ Register

Welcome to Centmin Mod Community
Become a Member

http authentication for WP Login

Discussion in 'Blogs & CMS usage' started by Matt Williams, Dec 15, 2015.

Previous Thread Next Thread
Loading...
  1. Dec 15, 2015 #1
    Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    12:09 AM
    latest
    10
    Not sure if this is the correct area to place this. If not, feel free to move it to where it should be :=)

    Is there a way to track failed login attempts from the http authentication for WP login? Does this capture the IP and failed usernames/passwords and put somewhere?
     
  2. Dec 15, 2015 #2
    eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    2:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    check the nginx access and error logs for wp-login.php requests with 401 statuses as well as entries like
    Code:
    no user/password was provided for basic authentication.
user .* was not found in.
user .* password mismatch.
    where .* would of been USERNAME matches
     
  3. Dec 15, 2015 #3
    Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    12:09 AM
    latest
    10
    How would I search for that because:
    shows nothing and so does error log..
     
  4. Dec 15, 2015 #4
    eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    2:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    use grep or egrep on choice keywords to the access.log or error.log
     
  5. Dec 15, 2015 #5
    Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    12:09 AM
    latest
    10
    can you give me an example maybe? Someone is accessing my clients WP login without the site owners authorization so I'm trying to figure out how - All messages I send to clients that are password sensitive are sent through Sendinc so I know it's not coming from any messages from WHMCS to the client.
     
  6. Dec 15, 2015 #6
    eva2000

    eva2000 Administrator Staff Member

    54,857
    12,238
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,809
    Local Time:
    2:09 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    for status code grep/awk see centminmod.com/nginx.html#accesslog

    and these
    Code:
    grep user /usr/local/nginx/logs/access.log
grep 'basic authentication' /usr/local/nginx/logs/access.log
grep password /usr/local/nginx/logs/access.log
grep 'wp-login.php' /usr/local/nginx/logs/access.log
grep 'mismatch' /usr/local/nginx/logs/access.log
    you should read up on using grep, egrep and awk commands

    any person working with servers in SSH should learn these :)
    There's still plenty of ways for data to be intercepted beyond the email stage, i.e. insecure home or work wifi or public wifi on either or both your end or the clients.

    All my home (thus work) mobile and tablet wifi is over encrypted secure private OpenVPN or L2TP IPSEC based VPN servers and my main work PC has no wifi and only wired connection.

    Also possibility of WP plugin or malware infection at server or database level, of which http basic authentication won't have any usefulness in preventing intruder access.
     
  7. Dec 15, 2015 #7
    Matt Williams

    Matt Williams WordPress Fanatic

    537
    104
    43
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +157
    Local Time:
    12:09 AM
    latest
    10
    Your right, I should lol!

    The logs using the command lines given show nothing. I've scanned the entire site for malware, it's clean including the database.

    I installed the rename wp login plugin. Client didn't want to go down the avenue of allowing only certain IP's via the site.com.conf file. I've blocked the ones that did get through with CSF It's only 2 or 3 failed login attempts using registered usernames but both parties that own that account say they didn't try and login during those times that was captured via Sucuri Plugin.
     
Previous Thread Next Thread
Loading...

.