WordPress: grep the login attempts

After reading an article about WordPress security measures it got me wondering how I could see how many login attempts were made on this and other WordPress sites that I run.

After a few minutes searching I decided to take the approach to read from the access log. I logged onto a server running a WordPress site of mine with very few visitors thinking that I needed a smaller access log to work with while testing.To my big surprise I had no access log for that site at all! Since I use Minstall to setup almost every web serving VPS it was time to check the script, only to find out that it was never setup using the script.

First step is now to create and use the access log so we can get some data to work with.

If you are using Minstall and NginX as web server like I do, the config files for each site is in this directory:

So either login as root or run the commands with sudo to be able to do the changes.

Find the server section:

and add a row below that line like this

Change the <username> to the name of the user running your site and <sitename> to the site you are editing. Save the file and do the same changes the SSL configuration file. Use another file name for the SSL version to keep the access logs separated and easier to read.

Reload NginX

to start using the new settings.

Now you can run this command and the user who serves your webpages (or root)

Remember to update the command to have the correct path for your server.

If you just activated the access log file it will probably return

but if you browse some pages on your site you will see the filesize grow and when you run the above command again you will probably get another result.

The above command takes your access file, searches for every instance of “wp-login.php” and returns the number of hits. Do not be alarmed just yet if you get a high number returned, all your own login attempts are also in there.

What I’ve found useful is to exclude my own IP from the result to keep the numbers down. You can accomplish this by piping it to grep -v “<IP>” before counting the rows with wc -l. The complete command should look something like this then:

Change 123.123.123.123 to the IP that you want to exclude from the result.

By adding the parameter -v to the grep command we invert the result to include everything that is NOT inside the ” “.

Feel free to leave a comment below if you have other tips!

3 comments for “WordPress: grep the login attempts

  1. beta
    June 8, 2013 at 00:19

    Great write up. Can’t wait to try it later on my vps dev box.

  2. m88
    January 5, 2015 at 00:00

    I’m amazed, I have to admit. Rarely do I encounter a blog that’s both educative and entertaining, and let me tell you, you’ve hit the nail on the head.
    The issue is something that too few people are speaking intelligently about.
    I’m very happy that I stumbled across this during my search for something regarding this.

Leave a Reply

Your email address will not be published. Required fields are marked *