Do all hosts block wordpess login because of blacklisted IP

Discussion in 'IT & Internet' started by UKSBD, Aug 7, 2020.

  1. UKSBD

    UKSBD Not a real duck Staff Member

    10,170 1,995
    Whenever I try to login to some of my Wordpress sites, after just 1 login attempt my IP gets blocked from the whole server.

    My host says it is because my IP (a non static BT one) is blacklisted

    csf.deny: 165.120.174.157 # lfd: (wpSpamLogin) Wordpress login by spam host from 165.120.174.157 (GB/United Kingdom/host165-120-174-157.range165-120.btcentralplus.com): 1 in the last 3600 secs

    Checking here - https://mxtoolbox.com/SuperTool.aspx?action=blacklist:165.120.174.173&newAppVersion=1

    My current IP is blacklisted at just one place.

    They say they are setting up plugins so we use a different login address, but I've used this befor and it caused problems, other times I forget which sites are using it, try my usual login and bam blocked again.

    Are all hosts this strict?
    If I forget, go to /wp-admin/ and try to login, I'm automatically blocked from whole server which is a right pain
     
    Posted: Aug 7, 2020 By: UKSBD Member since: Dec 30, 2005
    #1
  2. ServWise

    ServWise UKBF Ace Full Member

    1,209 263
    No, we aren't. Having said that we do have protections in place for brute force attacks but you would have to fail logins quite a bit for those to kick in.

    What happens at a lot of hosts is they count the number accesses to the wp-login.php which isn't necessarily a login attempt and they will use like 5 as an access count before blocking which is far too harsh as you might pass that number of accesses quite easily.
     
    Last edited: Aug 7, 2020
    Posted: Aug 7, 2020 By: ServWise Member since: Jan 22, 2008
    #2
  3. gpietersz

    gpietersz UKBF Ace Full Member

    1,409 333
    Its blacklisted on a list meant for blocking spam email. Not something that is appropriate for blocking access to a web site. Very different criteria (you would expect web traffic from dynamic residential URLs but not SMTP sending email, for example).

    I do that myself. With a plugin for my Wordpress site, configuring the admin URL to be less obvious for Django ones. Blocking on a failure is over the top.

    Blocking on an attempt to login to a deliberately created honeypot login form is reasonable.
     
    Posted: Aug 7, 2020 By: gpietersz Member since: Sep 10, 2019
    #3
  4. ServWise

    ServWise UKBF Ace Full Member

    1,209 263
    Not necessarily, there are a lot of blacklists for different things, most for spam but others for botnets or proxies etc, big ISPs IP ranges get blacklisted often due to having lots of consumers with infected PCs.

    Having said that they do tend to have a lot of false positives, we don't use them for web access ourselves and only use them sparingly for anti-spam measures preferring methods like gray-listing etc. Also we never "block" spam, we only mark it with a probability level of spamminess and the client can do the blocking based on that..
     
    Posted: Aug 7, 2020 By: ServWise Member since: Jan 22, 2008
    #4
  5. WESH.UK

    WESH.UK UKBF Regular Free Member

    105 23
    We don't interfere with customers WP sites nor would we try to, this is overkill and interference.

    The plugins that do change the admin URL are known to cause issues with a lot of other plugins and are more hassle than they are worth.
     
    Posted: Aug 7, 2020 By: WESH.UK Member since: Aug 11, 2018
    #5
  6. ServWise

    ServWise UKBF Ace Full Member

    1,209 263
    Not sure I would agree with that statement. You should have protections in place but they need to be reasonable enough not to cause problems with the site owner. otherwise, you can end up with a situation where you have 20+ WordPress websites being heavily brute-forced where the customer has not installed any protection and your server is on its knee's and effecting all other customers. It is a balancing act...

    I am talking about firewall level protections, not insisting the client installs specific plugins or changes their websites.
     
    Posted: Aug 7, 2020 By: ServWise Member since: Jan 22, 2008
    #6
  7. UKSBD

    UKSBD Not a real duck Staff Member

    10,170 1,995
    They've set the plugin back up "WPS Hide Login" and unblocked my IP so I can get in now.

    A pain though as if I forget which sites have it and I try my usual login , I'll be blocked from whole server again.
     
    Posted: Aug 7, 2020 By: UKSBD Member since: Dec 30, 2005
    #7
  8. gpietersz

    gpietersz UKBF Ace Full Member

    1,409 333
    My mistake, I thought this was the Spamhaus email blacklist, its a combined one.
     
    Posted: Aug 7, 2020 By: gpietersz Member since: Sep 10, 2019
    #8
  9. UKSBD

    UKSBD Not a real duck Staff Member

    10,170 1,995
    From what I can gather, just the fact it is seen as a domestic IP is enough to get it blacklisted :-(
     
    Posted: Aug 7, 2020 By: UKSBD Member since: Dec 30, 2005
    #9
  10. WESH.UK

    WESH.UK UKBF Regular Free Member

    105 23
    Of course, we have protection measures in place, at server and network levels but we don't and would not interfere with customers website code, nor their plugins. It's not for any hosting company to do that.

    You can recommend and suggest, but don't forcefully put things in place that have a negative impact on other things too.

    Not sure how you interpreted this:
    We don't interfere with customers WP sites nor would we try to, this is overkill and interference.

    As us not having server or network protection in place?
     
    Posted: Aug 7, 2020 By: WESH.UK Member since: Aug 11, 2018
    #10
  11. TopSpek

    TopSpek UKBF Regular Free Member

    175 13
    Wouldn't this sort of thing be under your control? I mean, can't you address this sort of thing at the server admin level rather than placing constraints on the websites? If a website is found to be taking more than their reasonable share of resources at the expense of others, then shouldn't your system be able to stop this? If the website owner had any complaints about their site being disabled, then you would just send them some sort of pre-written explanation.

    What I am trying to say is, if a website owner doesn't know how to secure their own website and prevent things like brute-force attacks, then that's just tough and they should go and find out how to do it!

    Edit: Sorry, WESH.UK got in there while I was writing my message, and he's written it more succinctly than I have. :)
     
    Last edited: Aug 7, 2020
    Posted: Aug 7, 2020 By: TopSpek Member since: Jul 15, 2019
    #11
  12. WESH.UK

    WESH.UK UKBF Regular Free Member

    105 23
    Nope, you won't if you do it right and know how to protect people from each other.

    If any of our customers were suffering this we telephone them and explain whats going on and how to resolve it and if need be, help them implement some options to protect themselves.

    You can lead the horse to water, but you can't push them in to prevent dehydration.
     
    Posted: Aug 7, 2020 By: WESH.UK Member since: Aug 11, 2018
    #12
  13. ServWise

    ServWise UKBF Ace Full Member

    1,209 263
    Yeah, I think the confusion here is about website-based over server-based mitigation, yeah we would never force a customer to use specific plugins or code to protect their websites (recommendations yes but it is their website, not ours), all of our mitigation is at a global server level and protects all customers regardless of what they host.
     
    Last edited: Aug 7, 2020
    Posted: Aug 7, 2020 By: ServWise Member since: Jan 22, 2008
    #13
  14. ServWise

    ServWise UKBF Ace Full Member

    1,209 263
    Yes I was always talking about OS/server protections, not website code-based solutions, I assumed you meant the same but you were actually talking about not altering clients websites. which is totally right.
     
    Posted: Aug 7, 2020 By: ServWise Member since: Jan 22, 2008
    #14
  15. WebDesires

    WebDesires UKBF Regular Full Member

    259 44
    this is due to a modsecurity rule, which is actually a really GOOD idea and SHOULD be implemented by all hosts, however unfortunately for you, your host seems to have set this rule up wrong and are blocking after only one failed attempt, instead of like 10 or something which would make more sense.

    Protecting WordPress server wide in WHM / cPanel with ModSecurity

    It shocks me the amount of "hosting providers" above that proudly advertise that they dont "mess with wp sites"... this is totally irresponsible, wordpress is so easy to brute-force and without such a monitor implemented globally, your are very easily open to abuse, even if it takes a month or 6 months, they will get to your password eventually and screw over your site.

    However like I said your host has totally ballsed that up and should be shot :D
     
    Posted: Aug 10, 2020 By: WebDesires Member since: Feb 23, 2016
    #15
  16. UKSBD

    UKSBD Not a real duck Staff Member

    10,170 1,995
    Yes, I think it is a good thing as it changes my Wordpress login URL

    1 failed attempt is crazy though, just 3 or 4 I would be happy with.

    Being 1 means if I forget which sites are using it and try to login using my usual login URL I'm locked out of everything :-(
     
    Posted: Aug 10, 2020 By: UKSBD Member since: Dec 30, 2005
    #16
  17. TopSpek

    TopSpek UKBF Regular Free Member

    175 13
    Okay, not understanding some of this obviously because I'm not a webhost, but I have a couple of misgivings about your opinion. Not after an argument - just want to understand.

    Firstly, all these server tools like ModSecurity have to be maintained, updated, etc., and compatibility with other server components must be ensured. This all adds to a webhost's costs which obviously must be passed on to their customers. Why should everyone pay more just because some website owners don't know how to look after their own websites? Now if these things were optional and built into more expensive packages, then fair enough; but let the ones who need these facilities pay for them.
     
    Last edited: Aug 10, 2020
    Posted: Aug 10, 2020 By: TopSpek Member since: Jul 15, 2019
    #17
  18. HostXNow

    HostXNow UKBF Regular Full Member

    430 33
    In OP, the firewall being used is CSF (ConfigServer Firewall) which is free software, and we had some customers complained about it several years ago. We switched to paid software Imunify360.com and no more issues with customers getting blocked.

    Check the Imunify360 website to see how advanced it is. It's the best around right now, especially for cPanel servers. We've been using Imunify360 for several years now and highly recommend it. Imunify360 is from the same team behind CloudLinux, which is pretty much run on all providers Shared/Reseller hosting servers.

    In short, you may switch to a provider who uses Imunify360.
     
    Posted: Aug 12, 2020 By: HostXNow Member since: Mar 7, 2011
    #18