How to stop a brute force site on wordpress?

Question

Constantly trying to hack a wordpress site.
What did you do:

Anyway, reports from the plugin are constantly coming:

1 failed authentication attempts (1 isolation) from IP address: 186.202.153.141
User last tried: admin

How to avoid the absence of wp-login.php and blocking wp-admin?

with this you need to be careful - this file can be used by other plugins, you can limit the number of logins sent via xml-rpc to the minimum - it may be better to use just such a solution.
Although if you definitely do not have such plug-ins, then you could bang this file altogether (the main thing is not to forget about it with the next update))

Rltx11 Rltx11 306 one four 17 · Answer 1 · 2016-04-16T14:00:48

You can use the plugin iThemes Security . In it, you can configure access only from some specific ip, ban for an incorrect login more than n times and so on. It is very useful that you can simply change the login address from wp-admin to something different. But there are many different good-quality functions, detailed articles, where everything is described, can be found enough.
You can also use the easiest way - plugin Clef . In his settings, you can disable the login through the password for the administrator and leave the login possible only through the clef application on the smartphone. Even if the password from the admin is entered correctly, it will be possible to login only through the connected clef application on the smartphone.
Well, traditionally you can easily reCAPTCHA captcha. You can also find quite a few plugins that automate the process.

Nicolas Chabanovsky ♦ 38.2k 54 220 437 · Answer 2 · 2016-04-06T06:50:36

Make a double authorization using Htaccess and htpasswd, how to arrange it all is in the internet.
change the admin address
put captcha on authorization
You can move the file wp-config.php to the domain folder, above public_html - it will be read by the engine, but you will not get it from the Internet;)

2 answers 2