These are the steps I use to create a list of IP addresses that are trying to login to my WordPress installations that did not have permission to do so.The following steps assumes that only you (or certain IP addresses) have access to your WordPress login, wp-login.php. You can learn more about how-to do this in this article I wrote: Denying Access to Your WordPress Login.
You will also need the ability to run Linux commands.
If you don’t limit access to your WordPress login or have the ability to run Linux commands, then use my list located here.
You’ll start by grabbing all occurrences of wp-login.php in your errorlog. This is because you have denied access to your wp-login.php, except for you, so if someone tries to go there, your server will show a error and record it in your errorlog.
grep -iR wp-login.php sites.himpfen.com-error_log >> data.txt
Change sites.himpfen.com-errorlog to your errorlog. The results will be written to data.txt.
Next, you’ll create a new file that only shows the IP addresses.
grep -E -o '(25[0-5]|2[0-4][0-9]|?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|?[0-9][0-9]?)' data.txt >> ipsonly.txt
So here, we took the only IP addresses from data.txt, which we created in step one and written the IP addresses to ipsonly.txt.
Finally, we need to remove duplicate IP addresses. You can do this with two different commands.
awk '!x[$0]++' ipsonly.txt > IPAddresses.txt
sort -u ipsonly.txt > IPAddresses.txt
The final list will be in IPAddresses.txt. I should also mention that you should check IPAddresses.txt for your own IP address. Why? Your IP address can change without notification to you, so you might have went to login and been disallowed by the server.