WordPress Login Attempts in Access Logs

TL;DR

Access logs alone aren’t enough to *definitely* say if a login attempt was successful. You need to check other logs (like the WordPress error log) or database activity. However, you can use access logs to identify suspicious patterns and potential brute-force attacks.

Identifying Login Attempts

1. Understand Common Patterns: Successful and failed login attempts will both show up in your access.log file. The key is looking for clues.
   • Successful Logins: Typically redirect to the WordPress admin area (/wp-admin/ or similar) after a successful authentication.
   • Failed Logins: Often return a standard HTTP 200 OK response, but with the login form still displayed. Sometimes they’ll show an error message in the HTML source of the page returned.
2. Search for Login URLs: Use command-line tools to find relevant entries.

   grep 'wp-login.php' access.log

   This will show all lines containing wp-login.php, which is the standard WordPress login page.

3. Look at HTTP Status Codes: A status code of 302 (redirect) *suggests* a successful login, but isn’t conclusive. A 200 OK response usually means the login form was displayed again – potentially failed, or possibly a cached page.

   grep 'wp-login.php' access.log | awk '{print $9}' | sort | uniq -c

   This command extracts the status code from each wp-login.php entry, sorts them and counts how many times each appears. Look for unusual numbers of 200 or 302 responses.

4. Examine User Agent Strings: Repeated login attempts from the same user agent might indicate a bot trying to brute-force your site.

   grep 'wp-login.php' access.log | awk '{print $11}' | sort | uniq -c

   This extracts and counts User Agent strings associated with login attempts.

5. Check for POST Requests: Successful logins involve a POST request sending username and password data to wp-login.php. Failed attempts also use POST.

   grep 'POST /wp-login.php' access.log

Why Access Logs Aren’t Enough

• Caching: Your web server or a caching plugin might serve cached versions of the login page, making it hard to tell if an attempt actually happened recently.
• Security Plugins: Many security plugins log login attempts separately, providing more accurate information. Check your plugin settings.
• Error Logs: WordPress’s error_log file (usually in the wp-content/debug.log or similar) will show failed login errors.

  tail -f wp-content/debug.log

• Database Logs: For definitive proof, check your database logs for authentication queries (if logging is enabled). This requires more technical expertise and can generate a lot of data.

Further Steps

1. Install a Security Plugin: Plugins like Wordfence or Sucuri provide detailed login attempt tracking and blocking features.
2. Limit Login Attempts: Configure your security plugin to limit the number of failed login attempts from a single IP address.
3. Use Strong Passwords: Encourage users to use strong, unique passwords.
4. Enable Two-Factor Authentication (2FA): Adds an extra layer of security beyond just a password.