Impossible to avoid login attempts from multiple ip addresses to my admin

Why is this an issue for you if you’re using a secure password? If it’s a bandwidth issue then you should talk to your hosting providers.

So, having multiple attempts of login to my admin every hour is no problem?

What i am supposed to talk to my hosting? How can they stop that if there are thousands of different ips?

Thanks.

Maybe it is, but why would it be a problem for you is what I’m curious about. Is it a bandwidth issue?

Of course, bandwidth, and security reasons. If you have the admin url address the same as everyone else in the world using wordpress, that is not good for security.

You’re going to be hit regardless of anything you do in WordPress, that’s why it’s more suitable to ask help from your hosting providers. By the time the robots load your page it’s already too late.
There shouldn’t be a security reason, the core application is pretty sure & you’re using a secure password.

Here are some extra steps you can take https://codex.www.ads-software.com/Hardening_WordPress

Thanks for the tips.

But how do they detect im using wordpress? I guess the bots are not trying all the ip’s in the world?

You may be able to set up your .htaccess so that only your IP can connect to the admin interface.

Do they know your admin username? Make sure your admin username is something that is not common.

Brute force attacks are something that simply happen and most of the time it is just a bot – not a person specifically targeting you.

Using an admin username that is not common will greatly reduce the odds of success (e.g. don’t use admin or john but instead use something like PabloTheGreat that bots will never try) and use a strong password of at least 12 characters including numbers, lower case letters, upper case letters, and a special character.

The attacks themselves are harmless http requests when they fail.

Hi AliceWonderFull, admin name is not “admin”. Anyways some of the attempts use my new name, others dont. I assume they check the names in the posts and use them also besides “admin”.

I am not worried about success, as i have other admin name, captcha, and probably i will put htaccess protection.

But the easiest would be WordPress to allow changing the admin folder. If 99% of the blogs change their admin folder name, the bots would stop wasting resources trying to access wordpress sites cause they won’t know the name of the directory they must access.

I do agree it would be a nice feature to add.

Thanks for your answer Alice, i hope they think about adding this option to rename the admin.

But the easiest would be WordPress to allow changing the admin folder.

I’m pretty sure that would break many things. You could try changing all the references from /wp-admin/ in the code but that would stop working after the next patch.

If 99% of the blogs change their admin folder name

But again, this really is not a problem and that’s likely why it’s not going to be changed.

For example: your server is getting hit with login requests via ssh on port 22 all the time. You can change that port and stop using 22 but most don’t bother or even consider it. Doing that doesn’t change anything because unsuccessful login attempts are background noise.

However, if you use a weak password on your ssh account then that’s the problem. Using port 22 or not doesn’t fix that issue.

It’s the same with /wp-admin/ and wp-login.php. If you use a good password then those attempts are just background noise and can be ignored.

A future version could change that to a constant that can be defined but I think a lot of plugins use the hard-coded path, so there would probably have to first be an update that sets the constant to /wp-admin/ to give plugin maintainers time to update their code – and maybe after a year or so users could modify the constant to point where they want it to.

Doable IMHO but would take some time to reduce breaking of stuff.

Hello Jam.

You could try changing all the references from /wp-admin/ in the code

I already know that option of changing references in the code, but i didn’t do it just because the same you are saying: next update comes and i will need to do it again.

It’s the same with /wp-admin/ and wp-login.php. If you use a good password then those attempts are just background noise and can be ignored.

Again, i say it is not. If i change 1 letter in the name of wp-admin folder, the login attempts dissapear. NEVER can be the same bandwidth a call to a inexistent file or folder than someone going to your login page, trying to log, and receiving the data with the message “wrong password”. If it’s 1 time per day its ok, but if you receive 2500 unsuccesful logins per day, you really tell me it is not important?
It is a waste of resources.

Option 1: the spammer calls admin: receives a 404, goes away
Option 2 (current): the spammer goes to admin login page. The page loads. Tries one login/pass. Page reload again with the message that password don’t match. Spammer tries another name / pass several times.

there would probably have to first be an update that sets the constant to /wp-admin/ to give plugin maintainers time to update their code

That’s a good idea. But really hard-coding directories instead of having them in a variable is not the best. You always need to use a variable if you are going to use the same string hundreds of times. For wordpress code or for plugins.

Healthy conversations are productive (and this one is good) but you’ve not quantified the benefit of this idea.

Or to put it in the other direction, where exactly is the tangible harm of leaving it as is? Have you or anyone suffered a break in that was not due to weak passwords?

There are plugins that may help you and others already.

https://www.ads-software.com/plugins/search.php?q=hide+wp-admin

This one while dated works fine too.

https://www.ads-software.com/plugins/limit-login-attempts/

Which is referenced in this article (there are others too).

https://codex.www.ads-software.com/Brute_Force_Attacks

That feature is a nice to have. As there are definable constants for other things and I am sure a patch would be looked at.

https://make.www.ads-software.com/core/handbook/working-with-trac/submitting-a-patch/

https://core.trac.www.ads-software.com/

I have not looked in Trac or know the status but there may be a patch submitted there already.

It’s security through obscurity but it does increase security.

Same reason I always change the ssh port on servers.

Especially if you have employees that may not follow strong password rules, or who use the same strong password on another site that was compromised, it can be beneficial to make it more difficult for an attacker to find the admin login.

But it may not help with WordPress because I think the admin login is linked to from public pages. That would have to be changed or it is pointless.