Backend Hidden and Re-Hidden, Attacker Still Attempting to Login

  • Resolved Trevis

    (@treviscarletta)


    8 years ago

    I have a site that is currently under attack, with the attacker trying to login as Admin from various IPs. Since the plugin is set to ban anyone trying to login as Admin, I believe the attacks are being successfully blocked. I have the backend hidden, and have even changed the login URL to a couple of other slugs to try and stop the constant attacks (about 1 per minute at this point) but, I am still getting notifications for Site Lockouts. How are they even able to find the login area if I’ve changed the login URL multiple times and how do I stop the attacker?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Trevis

    (@treviscarletta)

    I have also put the site in Away Mode for the past 15 minutes and I am still getting Site Lockout notifications. How is this happening?!

    redsand

    (@redsand)

    XML-RPC ( xmlrpc.php ), WP REST API, etc.

    Your Admin login is not the only place that can be logged into. If you’re not using the REST API, disable it. Check your raw server logs, and you’ll be able to see where they are trying to log in. It will be a POST type request.

    • This reply was modified 8 years ago by redsand.
    Thread Starter Trevis

    (@treviscarletta)

    Thanks @redsand! In addition to the things you mentioned, I also lowered the number of attempts allowed before banning (host and user), and password protected the wp-admin folder on the server. Still getting a lot of 404s but, security is rendering invalid login attempts non-existent.

    redsand

    (@redsand)

    Hey @treviscarletta,

    You’re welcome. Glad to hear that’s helping. ??

    Just one thing to consider: If you lock down the /wp-admin/ by password you might have issues, because you’ll need to make an exception for /wp-admin/admin-ajax.php or certain functionality could break. If you’re going to protect that directory, it might be better to do it by IP address in your .htaccess. I did a quick write-up on some best practices for this in another forum thread (for a different plugin) here and here. Hope that helps!

    – Scott

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Backend Hidden and Re-Hidden, Attacker Still Attempting to Login’ is closed to new replies.