Bots find out modified WP login page

Hi, are all your plugins up to date? What Firewall settings do you have enabled in the plugin.

Kind regards

Yes, everything is up to date. This happens on about 100 websites we’re hosting, it’s a different website every day, sometimes 2 or 3 a day.
Here is a standard Firewall setup:

“aiowps_enable_basic_firewall”:”1″
“aiowps_enable_pingback_firewall”:””
“aiowps_disable_xmlrpc_pingback_methods”:”1″
“aiowps_block_debug_log_file_access”:”1″
“aiowps_disable_index_views”:”1″
“aiowps_disable_trace_and_track”:”1″
“aiowps_forbid_proxy_comments”:”1″
“aiowps_deny_bad_query_strings”:”1″
“aiowps_advanced_char_string_filter”:”1″
“aiowps_enable_5g_firewall”:””
“aiowps_enable_6g_firewall”:”1″
“aiowps_enable_custom_rules”:”1″
“aiowps_place_custom_rules_at_top”:””
“aiowps_custom_rules”:”<IfModule mod_headers.c>\r\nHeader set X-XSS-Protection \”1; mode=block\”\r\nHeader always append X-Frame-Options SAMEORIGIN\r\nHeader set X-Content-Type-Options nosniff\r\n<\/IfModule>”
“aiowps_enable_404_logging”:”1″
“aiowps_enable_404_IP_lockout”:”1″
“aiowps_404_lockout_time_length”:60
“aiowps_404_lock_redirect_url”:”http:\/\/127.0.0.1″
“aiowps_block_fake_googlebots”:”1″
“aiowps_prevent_hotlinking”:”1″

Hi, is this a network setup?

This happens on about 100 websites we’re hosting,

Are these websites hosted in the same server or different servers?

it’s a different website every day, sometimes 2 or 3 a day.

So you are saying that they randomly target a different website everyday. Is this correct?

Kind regards

• This reply was modified 5 years, 5 months ago by mbrsolution.

Hi Daniele,

I thought disabling Pingback would stop bots from knowing the modified login address?

The bots are most likely not finding your hidden login URL.
They are probably submitting requests to your xmlrpc.php file and not to the login page form.
Just to put any confusion to rest, the disable pingback feature will not stop anybody from submitting requests directly to your xmlrpc.php file if you’ve left access to it open.

Whether you completely disable xmlrpc or not is dependent on whether that functionality needs to be active for other plugins or themes on your site. But one thing you should keep in mind is that irrespective of the above feature being active or not, you should make sure that you are using a strong password for your wp accounts to decrease the chance of someone brute-forcing their way in.

But the message I receive says an IP has been blocked after too many login attempts, you know the usual message your plugin sends when there are too many failed logins.
It gives me the username and IP address.

The websites are hosted on the same server. It’s not exactly an attack a day, there are days with more, days with none. Sometimes it’s a couple attempts, sometimes it lasts about half an hour. But the point is, I can’t understand how they are finding the modified login page.

EDIT: I’ve made some research, and I think you’re right and I’m wrong. They’re probably login attempts made via XMLRPC. Is it possible to distinguish them? Right now, the plugin will simply notify me of too many attempts, but won’t tell me if the bot tried via the actual login page or via XMLRPC.

Hi Daniele,

In your first message you said “I use Divi on many websites, and the Divi builder uses XMLRPC, so I can’t disable it completely. There are also many plugins using this functionality.”

So i use Divi too. I just disabled XMLRPC completely and went back into Divi Builder + my site and everything seems to still work. Have you found parts of Divi to not work after disabling XMLRPC?

I will ask Divi if and how XMLRPC is used by their theme. There are routines calling it, but I don’t know the details.