This article explains how the WP Security Audit Log plugin keeps a log of WordPress failed logins. The WP Security Audit Log uses two different alerts to keep a record of failed WordPress logins in the audit log:
- Alert 1002: failed login for existing username
- Alert 1003: failed login for unknown username
Why WP Security Audit Log uses two different alerts to log failed WordPress logins?
You should not worry if there are failed logins for unknown users, i.e. users which you do not have on your WordPress. This is pretty normal activity as explained in Dealing with Failed WordPress Logins. You should only take precautionary measures when there are failed logins for existing usernames, which means that the attacker guessed the WordPress user you are using, so it might become a targeted attack.
Therefore by having two different alert types it is easier to search for a specific failed login in the audit log, and to create email alerts so you are alerted in case there are failed logins for a known username.
How does the logging of failed WordPress logins work?
By default the WP Security Audit Log plugin only records up to 10 failed logins for every IP address and WordPress username combination, if a real WordPress user is being used. For failed logins of non-WordPress users the plugin records up to 10 failed attempts for every IP address. This is a precautionary measure to avoid hogging web server resources in case of a WordPress brute force attack. These alerts are enough to give you an indication if your WordPress is being attacked or the failed login attempts are legit.
Configure WP Security Audit Log to log more than 10 failed Logins
You can configure the WP Security Audit Log plugin to keep a log of more than 10 failed WordPress logins. To increase the limit navigate to the Enable/Disable Alerts node in the plugin menu and click on the User Profiles & Activity > Other User Activity tab. As highlighted in the below screenshot you can configure the number of failed logins the plugin should keep a log of for both Alert ID 1002 and 1003. Enter 0 if you want to capture all failed logins.
What is reported in the failed WordPress logins alerts?
In both alerts 1002 and 1003 the plugin records:
- The date and time of when the last failed login happened,
- The source IP address of the computer / device from where the failed login happened,
- The number of failed logins,
- The WordPress user in case of alert 1002, as seen in the below screenshot.
In case there is a failed WordPress login for a non-existing username, the plugin uses System as a user, because there is no WordPress user on your website that can be associated with such activity, as shown in the below screenshot.
Keep a log of the Usernames used for the failed WordPress logins
You can configure the plugin to keep a log of all the usernames used during the failed login attempts that are not WordPress users. To do so enable the option Keep a log of the usernames used in the failed logins in a log file, which can be found in the alerts settings as shown in the screenshot above. The list of usernames will be kept in the database and you can download the list of usernames in a log file from the alert details.