Security.stackexchange.com

How bot(s) have guessed my wordpress login page?

2016-05-11

I have a wordpress site (fully patched) that used to receive many attempts to log in based on dictionary attacks. I changed my admin user to something uncommon and use a really strong password.

Apart of that I changed my login page using rename wp-login.php plugin. I changed my login url to something like http://foo.com/blog/?pencil. For years the bots failed to guess my login page (still having many 404s).

For the second time in a month. First time I had a failed attempt and changed url to http://foo.com/blog/?paper and didn't think much about it. Second time happened today. Exact events:

19th April

Successful login from my employer office (via proxy) to http://foo.com/blog/?pencil at 18:00 from my company laptop.

2 failed attempts from 70.32.73.128 (report about the IP ), a IP from California, at 02:54am GMT (The server seems to be reported as hacked) using admin username (that btw doesn't exist in my wordpress)

I changed password and url to http://foo.com/blog/?paper

I enabled capturing of incoming passwords in log.

Now

Yesterday (11:10 am) I accessed to blog to correct an entry from my employer network (same proxy).

Today at 11:55 1 failed attempt from 213.248.63.27 (Virus Total report about the IP), a russian IP with suspicious sites like vrn.sauna.ru (probably NSFW url). It used oscarfoley as username with no password (my username is not oscarfoley or similar)

I feel pretty secure as the bot has to guess the login page, the admin user and the pass. However, by reading this site I am a little bit paranoid.
So my main question is:

How the bot has "guessed" the paper or pencil login page?

Could be my employer proxy/network be compromised? (Like a hacker having access to proxy logs...)

Could it be a broad dictionary attack (something like a boot scanning all wordpress servers in the internet to see if the login page is pencil)?.. or a exploit in wordpress?

Is there anything more I should do to protect myself?

Could it be a personal attack using public information on internet? Or a bot that uses public information for broad attacks?

Why the empty password?

How can I be sure I am not hacked? (Forget about this as it is pretty good answered in this question)

Could be my laptop or my pc at home be hacked and got the url from it? My guess is no because otherwise they would have my password...

EDIT: To be more clear, attacker hit the login url directly with NO failed attempts on other similar urls. Check here last 404 errors: