Skip to content

wp_login_spike

Severity: Warning Signal: auth.attempt — high volume of login attempts in a short window

What this signal means

A high volume of login attempts hit your site in a short window. This covers both successful and failed attempts, catching credential stuffing attacks and login floods that might use valid credentials.

What surprise this prevents

A credential stuffing attack succeeding quietly — valid credentials from a data breach being tested against your login page while the volume appears routine.

Why it matters

Unlike wp_brute_force_login which focuses on failed attempts, this alert catches volume regardless of outcome. A spike with many successes could indicate a credential stuffing attack using leaked passwords.

Investigate

View entity alerts in Logystera →

In Logystera, filter auth.attempt signals:

  • How many were success: true vs success: false?
  • Are the attempts from one IP or many IPs?
  • Are they targeting one username hash or many?

  1. Check for successful logins from unknown IPs. Go to Users → All Users and check the Last Login date for admin accounts. Or use a user sessions plugin.

  2. Rate-limit and CAPTCHA the login page. Plugins like Limit Login Attempts Reloaded or WP Cerber add rate limiting and CAPTCHA.

  3. Block at the edge. If you use Cloudflare, enable Bot Fight Mode or create a WAF rule to challenge /wp-login.php for non-whitelisted IPs.

  4. Disable XML-RPC — it allows multiple login attempts per request, multiplying the effective attack rate: php add_filter( 'xmlrpc_enabled', '__return_false' );

  5. Implement two-factor authentication for all admin accounts.

When to safely ignore

A login spike coinciding with a marketing campaign, newsletter send, or public announcement is expected. High login volume from known user IPs immediately after a prominent content publication is normal traffic, not an attack signal.

Check whether success: true dominates the spike — successful logins from your regular user base during a traffic event require no action.

Signal reference

{
  "event_type": "auth.attempt",
  "payload": {
    "success": true,
    "username_hash": "f1e2d3...",
    "username_len": 8
  },
  "labels": {
    "actor": { "user_id": 0, "ip": "198.51.100.5" }
  }
}