How to avoid people trying to hack a login

[Xarzu]

Some "usermane" is requesting a "username" in my wordpress blog.

I did not expect this to happen with my wordpress blog. I do not know if it is just users stupidity or if it is spammers trying to break into my blog. Either way, it is something that needs fixing. Apparently people are trying to log in without registering.

I have been getting annoying email messages that say essentially:

SoAndSo (SomeEmail@somewhere.com) has requested a username at MyWebForumAndBlog
h t t p : / / w w w . M y S i t e . c o m
To approve or deny this user access to MyWebForumAndBlog go to...

That is not exactly what it says, but you get the idea. Click here to see an actual message.

So I am guessing that what is happening is that someone just clicks on "log in" and then requests a password instead of clicking on Register. But there are so many of these messages that I have to wonder if this is a spam bot.

On the other hand, the message says it is requesting a username, not a password. So this is some sort of wordpress spam and trick someone is using where they are bypassing the normal login.

And it does not make sense. Think of it. Some "usermane" is requesting a "username". How do they do that?

[conorp]

Is there any reason why you have registration open? Its even linked to on your homepage: http://www.arguemax.com/wp-login.php?action=register

[Xarzu]

Is there any reason why you have registration open? Its even linked to on your homepage: http://www.arguemax.com/wp-login.php?action=register

Registration is open because I want people who post comments to do so by first registering.

Anyway, after looking at that page you like to, I see the problem. The problem is this. People are exploiting the "lost my password" hyperlink I have on the registration and log in pages.

How do I disable those?

[chipbennett]

Registration is open because I want people who post comments to do so by first registering.

Anyway, after looking at that page you like to, I see the problem. The problem is this. People are exploiting the "lost my password" hyperlink I have on the registration and log in pages.

How do I disable those?

I wouldn't worry about the password-recovery functionality too much. It's nearly impossible to hack. At worst, it will be a nuisance for the account user, having their password reset - and even that is a worst-case scenario.

[Xarzu]

The primary concern is not that they will be successful in hacking the login and gain access. The main thing to me is the nuisance that they are giving me. On top of all the things I am trying to do right now, I have to deal with these annoying email messages where people are requesting a login ID when they have not registered.

[t31os]

The email is generated by the new user approve plugin you have installed..
http://wordpress.org/extend/plugins/new-user-approve/

I'd imagine these emails are simply informing you of each user registration, which will happen because that's what the plugin does. You have registration enabled, so you're simply seeing a notification of every registration, possibly including bots. If you believe you're getting bot registrations then it goes to show the captcha input is not working (or the bots are smart and know how to beat it).

[Xarzu]

It has been a while since I have had time to work on this issue but now I am revisitingthis.

The issue is that I am getting a particular annoying spam from bots who are trying to get me to give them a username.

How do I stop this.

This is what fills up my email inbox: http://i67.photobucket.com/albums/h292/Athono/this.jpg

[Ryan]

A custom captcha setup usually works fine on small sites. I've blocked all spam on my forum temporarily by simply asking the question of "What colour is the logo at the top of the page?".

[Xarzu]

Ryan, I am not convinced that this is a CAPTCHA issue since I have a CAPTCHA on the registration page. Are you saying that a bot is smart enough to figure out what the CAPTCHA message is?

Also, it does not seem to be something that is generated by bots hitting this page. The email messages I am getting are asking for a username, it is not a series of automated registrations.

[Ryan]

Are you saying that a bot is smart enough to figure out what the CAPTCHA message is?

That depends on how good/custom the captcha is. If it's an off the shelf captcha used by thousands of others, then yeah, I'd guess the bot can very easily figure it out.