Attemtped admin logins

  • Resolved Jeffdvo

    (@jeffdvo)


    7 years, 1 month ago

    I’m trying to increase my understanding of WordPress Security.
    I have several websites that I admin on a shared hosting facility.
    I use .htaccess in the root of “public_html” and the root of each domain to allow only my IP address (which rarely changes) to acesss the hidden backend. If I use my mobile phone or try to access the back end from another location (different IP) and use “mydomain/hidden”, I get a 403 “access denied” and no log in screen, so that works ?? If I use “mydomain/wp-login”, I get to the site but have a 404 displayed – no entries were found. If I use “mydomain/wp-admin”, I get a 403 and no log in screen. So I’m fairly happy that other IPs trying to access the back end can’t!

    Question, why do I get reports that “some other IP” has tried to log in as “admin”, there isn’t a login screen displayed ?

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi,
    Accessing “wp-login.php” page isn’t the only way to log in your WordPress Dashboard, attackers usually use XML-RPC to try different combination of usernames/passwords (brute force attack), I highly recommend reading this article on our blog to learn more about which method attackers prefer.

    You should also know that adjusting limits in “Login Security Options” will be applied on both methods.

    Finally, disabling XML-RPC in WordPress could have undesired consequences, I recommend reading this post before doing that.

    Thanks.

    Thread Starter Jeffdvo

    (@jeffdvo)

    Thanks for the response and links wfalaa, I’ve had a good read ??
    If I understand correctly, scripts are used with xml-rpc and these by-pass the login screen. Had a quick look at the API components and think it’s scary how much info can be obtained using wp-get.
    Thinking it would be a bad idea to allow any IP to access the backend but looking into the email option for logging in, along with password for folders.

    Cheers

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Attemtped admin logins’ is closed to new replies.