I run a multi-user site and for the past week or two I have been getting daily notices that someone is getting locked out due to failed login attempts for user “admin” via the Limit Login Attempts plugin.
There is no user account for “admin” and I assume this is an attack in an attempt to gain access to the wp-admin section of the site.
I’m assuming if there is no “admin” user, then these attempts will never be successful.
Am I safe to disregard these notices since there is no user named “admin” or are there other measures I can take to safeguard my site from being accessed maliciously?
The attempts have been from a few different IP addresses so blocking the IP would only temporarily deter the behavior. Limiting the wp-admin to only specific IP addresses is not realistic due to the number of users that log in from different places.
Yes, you can safely ignore it, especially if your site has no “admin” user. The brute-force attack will never accomplish anything. I also use Limit Login Attempts – mainly for this very purpose. It lets me know when manual brute-force attempts are being made on my back-end login. (Last time I bothered to WHOIS the IP, the attack was coming from Russia, FWIW.)
Short of blocking the IP address, there is little you can do to prevent brute-force attempts. If they get to be bothersome, just increase the lockout duration.
It might be worth looking at Fail2Ban if you want to prevent people attempting other naughty things on your server, but I’ve just found a reference to this plugin that I’m about to investigate myself:
http://wordpress.org/extend/plugins/mute-screamer/
Captcha verification and temporary IP blocking will be provide extra security in our WordPress. These two feachers are providing by following plugin http://wordpress.org/plugins/wp-limit-login-attempts .