Yes that is a good idea, we already have something similar implemented in the plugin. From the “Alert Settings” panel located in the plugin’ settings page you can find an option named “Receive email alerts for password guessing brute force attacks”, enable that option and disable the one named “Receive email alerts for failed login attempts”. This change will force the plugin to accumulate the information of each failed login per hour will send it in a single email report as you are suggesting.
However, this only works if your site is receiving more than thirty failed logins per hour (or the quantity that you have configured from the general settings panel), if your site is not under a password guessing attack then the plugin will not send any report.
I will add that option that you suggest, to collect all the failed login attempts per day no matter if the site is under a password guessing attack.
Yorman,
Thanks for your quick reply and yes I switched to the brute force alert when I started getting 80 to 100 emails everyday from my site.
The reason I’m interested in a digest summary of the failed login’s is because the second brute force alert email I received showed that the failed login attempts were made using my un-guessable admin username for that site.
How the hackers were able to get that username is beyond me, but I obviously need to closely monitor login attempts while I’m working to increase my security procedures.
If you have any ideas how my admin username could have been compromised by the bad guys I’m all ears.
So I really appreciate your willingness to improve your excellent tool based on customer feedback.
Thanks
Chris
Ah yes, they do not need to guess, WordPress has a kind of bug/feature that allows to know the username of any account registered in the website, you just need to create a bot that sends requests to an URL like this [1] where the “NUMBER” is the identifier associated to an entry in the database’s users table.
For instance, if you have created five user accounts in consecutive order (and have not deleted one so far) it will be possible to enumerate all these five usernames by accessing the URL shown below five times, each time changing the number from one to five.
There are other more elaborate techniques to accomplish the same result, but this is the most used method to enumerate users in WordPress. Both Metasploit [2] and NMap [3] among other software have plugins to do this so the bug/feature is very common among the security scene.
Some WordPress plugin developers think they found a solution for this [4] so you may try to install one of these plugins and see if it helps to reduce the risk, but I personally would just install a full-featured firewall [5] and let the security of my site in the hands of the professionals.
[1] http://example.com/?author=NUMBER
[2] https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_login_enum
[3] https://nmap.org/nsedoc/scripts/http-wordpress-enum.html
[4] https://ww.wp.xz.cn/plugins/search.php?q=enumerate
[5] https://sucuri.net/website-firewall/
