User locked out even after renaming login page

If login attempts are not coming through wp-login.php, they are most likely coming through xmlrpc.php — the same method used by the WordPress app, plugins like Jetpack, and other features like trackbacks and pingbacks.

Disabling XML-RPC is possible (there are a number of plugins that do it, such as “Disable XML-RPC”) but it may cause other possible problems. If you decide to disable it, you might want to check out this post first:
Should you disable XML-RPC on WordPress?

-Matt R

Hi Matt,

Thanks very much for this. I had already read the article and had considered disabling XML-RPC. I’ll give that a go and see what happens.

Many thanks

Rob

With login.php renamed and XML-RPC disabled I am still getting a few emails from Wordfence telling me someone has been locked out for using an invalid username. Nobody apart from me knows the login URL.

Any thoughts?

UPDATE: Actually I hadn’t totally disabled XML-RPC after all. I have done so now and will see what happens.

Ok, thanks for the update — if there are any further attempts, just let us know what method you used to disable it. Remember that certain features mentioned in the article won’t work with XML-RPC disabled, and there may be other plugins that could use it too.

-Matt R

I have not had any further issues since disabling XML-RPC. Thanks for your help.

Great, thanks for following up!

-Matt R