Constantly trying to hack a wordpress site.
What did you do:

  • set the Limit Login Attempts plugin, blocking after the first incorrect login
  • renamed wp-login.php
  • blocked the wp-admin folder in .htaccess: Deny from all

Anyway, reports from the plugin are constantly coming:

1 failed authentication attempts (1 isolation) from IP address: 186.202.153.141
User last tried: admin

How to avoid the absence of wp-login.php and blocking wp-admin?

  • 2
    can, for example, through XML-RPC - BOPOH
  • In, thanks! Disconnected using the XML-RPC plugin and stopped - Banshi
  • one
    with this you need to be careful - this file can be used by other plugins, you can limit the number of logins sent via xml-rpc to the minimum - it may be better to use just such a solution. Although if you definitely do not have such plug-ins, then you could bang this file altogether (the main thing is not to forget about it with the next update)) - BOPOH

2 answers 2

  • You can use the plugin iThemes Security . In it, you can configure access only from some specific ip, ban for an incorrect login more than n times and so on. It is very useful that you can simply change the login address from wp-admin to something different. But there are many different good-quality functions, detailed articles, where everything is described, can be found enough.
  • You can also use the easiest way - plugin Clef . In his settings, you can disable the login through the password for the administrator and leave the login possible only through the clef application on the smartphone. Even if the password from the admin is entered correctly, it will be possible to login only through the connected clef application on the smartphone.
  • Well, traditionally you can easily reCAPTCHA captcha. You can also find quite a few plugins that automate the process.
    1. Make a double authorization using Htaccess and htpasswd, how to arrange it all is in the internet.
    2. change the admin address
    3. put captcha on authorization
    4. You can move the file wp-config.php to the domain folder, above public_html - it will be read by the engine, but you will not get it from the Internet;)
    • As already mentioned, the admin panel is blocked via htaccess. all 403 issues. XML-RPC shutdown helped - Banshi