You can track the IP addresses, but they’ll change over time. If you can access a way to block IP addresses via CPanel, do it there rather than inside WordFence, as that stops the requests from ever reaching WordPress.
Hi,
Thanks for the response!But whoever is attacking our site must be using fake ip addresses because even though each attack shows a different ip the user is blocked! For example the ip might show that the user is from UK and gets blocked for 2 days and for those 2 days nothing happens. The 3rd day we get attacked again but from a “different” ip which also gets blocked for 2 days and the same story goes again and again, each time from a different ip but each time it gets us 48 hours free from attacks! Is there a way to find the real ip address of the attacker? And how do they manage to find our log in ulr or usernames? Which we constantly change? Thanks
The IPs are real, the HTTP (underlying TCP actually) protocol requires it. However, the real IP may be that of a proxy or load balancer. There’s no reliable way to learn the actual machine’s IP that’s behind a proxy. There are a couple defined ways, but they can be easily spoofed.
Brute force attacks commonly come from a “bot army”, a large group of hijacked computers with central command and control. Thus you get coordinated attacks from a wide range of IP addresses. You’ve already limited login attempts. You can permanently block problem IPs like Steven mentioned. Sadly, such attacks are a fact of having a web presence. Your best action is to diminish their effectiveness with good security measures, including good strong passwords.
The only reliable way to completely prevent such attacks is to not have a web presence at all. I’m afraid attacks come with the territory.
Hi,
They should be proxy. About who is behind the attacks I might have an idea. As I said the website is new and it hasn’t be launched yet. A couple of months ago someone used music that we own illegally and we took it down. After that he contacted us to apologised and asked if we had our own websites. Upon reply, we mentioned the new site and a couple of days after that the attacks started. The time line of the attacks matches his whereabouts. So he might be behind all this. What really troubles me though, is how do they find the log in ULR and the Admin User name since we have changed them a few times until now. We are also using reCAPTCHA. Thank you so much for the reply!
Suspicion and proof are very different things. If you have actual proof, there may be some legal recourse. You would then need real legal advice, which is not available here. But I’m sorry you’re being harassed. Harassment is a terrible thing.
Double check that any log files are above any public folders and thus inaccessible from outside. WP can conceivably leak usernames (theme dependent), they are not considered sensitive information. If the account is protected with a good strong password, knowing the username offers little advantage. I recommend using a less privileged account for day to day activities like writing blog posts. Only use the admin account when necessary to do admin things like installing plugins or similar.
You’ve already taken reasonable security measures. You might review https://ww.wp.xz.cn/support/article/hardening-wordpress/ for some other possible security measures you could implement.
