Hello @wade944 and thanks for reaching out to us!
Can you check where the logins are originating? You can do this by going to Wordfence -> Tools -> Live Traffic.
From here, let me know if the login attempts for the admin account are all coming in from the same or different IP addresses. Check to see if they are located in your area or outside the country.
This is what I can recommend if they are not your IP’s:
1. Change your username to not be the default username
These types of blind attacks will test common username/password combinations on various sites. You should set your username to something that is not commonly used, such as admin, admin1, administrator, test, etc.
2. Enable Immediately lock out invalid usernames
Under Wordfence -> All Options -> Brute Force Protection, enable Immediately lock out invalid users. This will make it so that these blind bots attacking your website will not have a chance to test multiple usernames/passwords. Once they’ve tested one account and that account does not exist, they will be blocked.
3. Enable Prevent discovery of usernames
Under Wordfence -> All Options -> Additional Options, enable Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API. You mentioned that they are visiting /wp-json/wp/v2/users/, this is a common attack to sniff out usernames, and they will target these accounts. Once you’ve enabled this setting, they will no longer be able to scrape the list of usernames from your site.
Don’t be worried about a high amount of attempts on the login “admin” or “administrator”. There are tons of bots out there simply testing admin + password on any and every WordPress site – just to see if they can get in.
Let me know if this helps!
Thanks!
