I have a Wordpress site that has very recently getting a lot of login attempts. Woke up with over 100 alerts, and they are still coming in. I changed the login url to something obscure, but I am still getting alerts of users trying to login, they are using different usernames each time. And different IP addresses. I have never had this number of attempts on any of my Wordpress websites. Any ideas how I can stop them from even being able to try and login? I thought hiding the login url would have worked.
Related
Whenever I open my website admin https://www.examplesite.com/wp-admin
it is redirecting to homepage.
Edit: This answer was using the original URL as given by OP, and later edited/removed by David.
It works fine for me - presenting the admin login screen as expected, so maybe too many bad logins from your IP / address and it's therefore redirecting you.
Try logging in from a friends computer or via Tor Browser and then reset the list of banned IPs?
Or if you have access to the database (and knowledge thereof) you can clear the table of bad login attempts to re-enable your usual access.
I cannot login to 2 of my WordPress sites (running on the same subdomain). After login I didn't get a message that my credentials are incorrect, but the page reloads and I'm back to the loginpage.
Password rest link doesn't work, he says 'invalid key'. Key = domain.com/wp-login.php?action=rp&key=k5ZhuvbXgAofh0Yql8VK&login=username
Password reset via database doesn't work too. Changed the password to the value given by http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4 (testtest), but I'm not able to login with the new username/password (still the same result: no error message)
I didn't changed anything to those website the last 2/3 weeks. Maybe an automatically update has changed something. Site urls are correct.
One site is running WP Limit Login Attempts (https://nl.wordpress.org/plugins/wp-limit-login-attempts/) which allows me to try 4 times before I been blocked for 30 minutes.
Deleted all cookies but no result. Has anybody an solution?
Solution found. It was/is a problem with my Internet Service Provider, which filters the internet (paid service, special for kids).
The filter is now off, and I can login to my sites.
I used the Feeds module to import users on my application, along with a field for the email address (which was unique) and a password. The user data was imported successfully for all users. However, when I try to login through an imported user's login credentials, I encounter the following error:
Server redirected you too many times.
ERR_TOO_MANY_REDIRECTS
I tried logging in from different browsers but that's didn't seem to resolve the issue either. What seems to be wrong here?
PS: I have tried clearing caches and deleting my browser's cookies as well, but that didn't resolve the issue.
I'm using SocialLogin plugin for WordPress which relies on HybridAuth for authentication. However, when I try to login with Google, I get "User profile request failed. Most likely the user is not connected to the provider and he should to authenticate again." error. I've tried Googling the solution, unsuccessfully.
Also, when I try to login with StackOverflow or Yahoo! I get Unspecified error!
I came across this issue also ...
Your question is more than an year old but here you go the solution:
Go to https://console.developers.google.com/ and activate Google+ API access.
That worked out for me!
It generally occurs to me in two conditions.
Session lost when you use for example back button or directly visiting the page instead of visiting via link.
Some times you need to clear your cache, logout and login to site but clean logout
generally fix.
I also want you to know that Hybrid Auth is a dead project.
I have a WordPress site. Like with many WordPress sites I see people (probably robots) trying their luck at the login page every once in a while. However, for the past 2 weeks it’s been non-stop at a rate of 400-500 tries a day…
So I went ahead and took the following security measures:
Changed the login URL to something different than the regular /wp-admin.
Limit the number of login attempts per URL and also automatically block any IP trying to login with an invalid username such as “test” or “admin”.
Set up two factor authentication to make sure that even though they tried they would not manage to get in, even if they guessed the username and password.
However that didn’t seem to do much and I’m still seeing a huge number of login attempts, so next thing I did was:
Password protect the login URL itself.
And still I’m seeing the same number of login attempts… now my questions are basically 2:
How are they managing to still try their luck at the login form even if that page is password protected?
Is there anything else I can do about it?
Cloudflare offers a free entry level plan that may help reduce some of this traffic before it gets to your site. Also, their $20/month plan (as of Aug 2017) can be paired with their WordPress plugin to use their built-in WordPress rulesets. CloudFlare also has a few more settings to allow you to put a few more filters and road blocks in front of specific types of traffic.
If you do choose to use CloudFlare with WordPress, be sure you understand exactly how/if you are choosing to push content into the CloudFlare CDN (content delivery network) and how that relates to the content cache on your site.
Standard disclaimer: I have no relationship with CloudFlare except as a customer.