My sites are getting constant authorization login attempts regardless of login

[securityisimportant]

Regardless of Login URL obfuscation with Hide my WP and using Google recaptcha for login…
somehow I’m getting regular login attempts from many different IP address which I’ve tracked down to all different countries and providers.
I need to make this stop.
Hide MY WP recently prevented (I hope) an attempt to trick a wordpress plugin to reveal wp-config.php details which would do some real damage.
Luckily I didn’t have that plugin installed, it was a
I’m using digitalocean with 1 click install of wordpress on Ubuntu and have created SSH only server access with private key and disabled root login and login and SSH has a passphrase.. I also followed a number of standard DigitalOcean tutorials to harden the droplet and wordpress. WordPress is multisite.
I do not have any community based websites on my multisite, it’s all person where only comments possible is with Disqus.
I’m also behind cloudflare and using certbot to have Https from droplet to cloudflare.
So in otherwords,
I don’t need anyone to have access to login except me.
I can’t lock down IP because if I’m out of town I need to be able to access my sites,
if I use a tunnel proxy I’ll increase my costs and I’ve no idea how to do that with an additional droplet yet anyway.
What are my options?
Thank you

Also.. is there anyway to absolutely protect wp-config.php from ever being read by an attack vector?
The only plugin which accesses wp-config in my build, AFAIK, is an Amazon S3 plugin.

[securityisimportant]

I also have cloudflare in “I’m under attack” mode on all my sites.
And the droplet IP address is the “root” site for the network so doesn’t benefit from cloudflare protections.
I would like to protect the root site completely.. and then block any and all access to any wordpress login method that these hackers use. SO that only I can login.

[securityisimportant]

Yet I’m still getting login attempts every few minutes to every minute with checking service apache2 status

[securityisimportant]

And to make matters worse,
there’s an automatic redirect to the “hidden” URL to login when going to ANY wordpress admin panel link such as
https://funwithnerds.com/wp-admin/

[Suman M.]

Hi, HMWP simply changes default login URLs so that it’s not accessible. Can you please let us know via which login URls or source your are getting login attempts? Also make sure that the theme and plugins you are using are safe.

Also, I tried to access https://funwithnerds.com/wp-admin/ and https://funwithnerds.com/wp-login.php and they return 404 not found page.

[securityisimportant]

Yea I just found that option in your plugin to disable access for non-logged in users. That seems to have made a big difference in the login attempts

[securityisimportant]

However, I am still getting these
IP: 74.208.183.74 (74.208.183.74)
User ID:
Date: 2017-11-22T16:02:55+00:00
Total Impact: 30
Affected tags: dt id lfi

Affected parameters: REQUEST.img=..%2Fwp-config.php, GET.img=..%2Fwp-config.php,

Request URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Any suggestions on how to harden against these kind of attack vectors?
Thank you

[Suman M.]

This seems like an intrusion (possible hack attempt).

HMWP IDS detects malicious requests coming to your site and notify you about it. But all these requests might not be harmful and you need not worry as HMWP IDS will take care of this and will block the malicious requests if Impact level is more than 20 (default value specified in HMWP IDS). You can stop receiving emails regarding this by setting “Notification Threshold” option to 0 in IDS Firewall tab.

Note: If in case, valid request is also listed as intrusion then hover over that request name and click on Exclude link to add it to exception list.

[Author]

Posts