Showing results for 
Search instead for 
Did you mean: 

10,000 logins attempted from my servers IP?


10,000 logins attempted from my servers IP?



I have installed Wyomind's extension to record attempted logins to my magento site. I have seen over 10,000 attemped logins which appear to be based on a dictionary style name attack every two minutes. When I view the extensions details it is stating that the logins are occuring at /downloader/index.php?A=loggedin and are coming from the IP address of my server i.e. the same IP address that my site is hosted on. I have checked the raw access logs and these appear to tally with the extension suggesting the extension is providing the correct information.


Is this a rouge extension on my server trying to gain access or is it something I should not worry about?


Any advice would be greatly appreciated.


Mike Prentice


Re: 10,000 logins attempted from my servers IP?

Not sure as to why they're appearing to come from your server address, unless you're on a shared server, one of the accounts has been compromised and somebody's using curl or htget with a script to automate the dictonary attack directly from the server.


10,000 tries on a dictionary attack is nothin', they have the whole dictionary to try, and Magento has no security against it unless you have a module that watches, records bad attempts and more importantly, locks down the backend access when the login retries exceed a certain amount.


Do the following to protect your admin backend and download utility, neither of which should be exposed to any more than a number of addresses you can count on one hand. The random ip address access from a coffee shop anywhere in town " 'cause ya just need ta check the graph to see how many sales you made in the last 30 minutes" is a pipe dream in today's security environment.


Use .htaccess to limit by ip range, who can access the following URLs







Change your admin url in app/etc/local.xml if you already haven't.





Re: 10,000 logins attempted from my servers IP?

Hi Chiefair,


Thanks for taking the time to write such a detailed reply, it's really appreciated.


I will follow your advice and restrict the IP range and move the admin login. I will also contact my host to see if there is anything they can dig up.


Thanks again