One of the most common methods that hackers use to gain access to a WordPress site is a brute force attack. The best defense against such attacks is to keep a record of failed logins so you can limit them.
This article explains how the WP Activity Log plugin keeps a log of failed logins, so you can see the failed login history of a WordPress website. It also showcases the different settings you can use to configure the plugin based on your needs.
How the WP Activity Log plugin keeps a record of failed login attempts on WordPress?
The WP Activity Log uses two different alerts to keep a record of failed WordPress logins in the activity log:
- Alert 1002: WordPress user failed login
- Alert 1003: failed login for non-existing username (this means someone tried to authenticate on your website but the username they specified does not exist on your website).
Why WP Activity Log uses two different event IDs to keep a WordPress failed login history?
When it comes to failed logins from unknown usernames, which are also non-existing usernames, you really should not worry much about them. This is pretty normal activity and it happens automatically to all websites, as explained in Handling WordPress failed login attempts on your site. You should only take precautionary measures when there are failed logins from existing usernames. When this happens, it means that the attacker guessed a WordPress user, so it might become a targeted attack.
Therefore, by having two different event IDs it’s easier to search for a specific failed login in the activity log, and to create email and SMS notifications, so you are alerted in case there are failed logins for a known username.
How does the logging of WordPress failed logins work?
By default, the WP Activity Log plugin only records up to ten failed logins for every IP address and WordPress username combination, if a real WordPress user is being used. For failed logins of non-existing WordPress users, the plugin records up to ten failed attempts for every IP address. This is a precautionary measure to avoid hogging web server resources in case of a WordPress brute force attack. These events are enough to give you an indication if your WordPress is being attacked or the failed login attempts are legit.
Configure the plugin to record more than ten failed login attempts
You can configure the WP Activity Log plugin to keep a log of more than ten failed WordPress logins. To increase the limit:
- Navigate to the Enable/Disable Events node in the plugin menu
- Click on the User Logins & Sessions Events tab
- Find Alert ID 1002 and Alert ID 1003 and enter “0” for both if you want to capture all failed logins without limits.
What is reported in the failed WordPress logins alerts?
In both event IDs 1002 and 1003 the plugin records:
- The date and time of when the last failed login happened
- The source IP address of the computer / device from where the failed login happened
- The number of failed logins
- The WordPress user in case of alert 1002, as seen in the below screenshot
In case there is a failed WordPress login for a non-existing username, the plugin uses System as a user, because there is no WordPress user on your website that can be associated with such activity, as shown in the below screenshot.
Keep a log of the Usernames used for the failed WordPress logins
By default, the plugin keeps a log of all the usernames used during the failed login attempts that are not WordPress users. The list of usernames will be kept in the database. You can also download the list of usernames in a log file from the alert details by clicking “Download the log file.” under the Message section as seen in the screenshot above.