Create a List of IP Addresses Attacking Your WordPress Login

These are the steps I use to create a list of IP addresses that are trying to login to my WordPress installations that did not have permission to do so. The following steps assumes that only you (or certain IP addresses) have access to your WordPress login, wp-login.php.

You will also need the ability to run Linux commands.

The Steps

You’ll start by grabbing all occurrences of wp-login.php in your errorlog. This is because you have denied access to your wp-login.php, except for you, so if someone tries to go there, your server will show a error and record it in your errorlog.

grep -iR wp-login.php sites.himpfen.com-error_log >> data.txt

Change sites.himpfen.com-errorlog to your errorlog. The results will be written to data.txt.

Next, you’ll create a new file that only shows the IP addresses.

grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' data.txt >> ipsonly.txt

So here, we took the only IP addresses from data.txt, which we created in step one and written the IP addresses to ipsonly.txt.

Finally, we need to remove duplicate IP addresses. You can do this with two different commands.

awk '!x[$0]++' ipsonly.txt > IPAddresses.txt

OR

sort -u ipsonly.txt > IPAddresses.txt

You’re done!

The final list will be in IPAddresses.txt. I should also mention that you should check IPAddresses.txt for your own IP address. Why? Your IP address can change without notification to you, so you might have went to login and been disallowed by the server.