hide backend but bots still find it?

  • Resolved karin9nona

    (@karin9nona)


    6 years, 1 month ago

    I use the hide backend feature on several websites and until now, that worked well.
    Now I used it on a site that was hacked before and it doesn’t seem to help. There are still a lot of login attempts. So I guess in some way the bots can discover the new login-url. What could it be? And what can I do to really hide my login-url?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Post the information displayed when clicking on the View Details link of a ‘Brute Force‘ module ‘Notice‘ type ‘Invalid Login‘ description record in the plugin Logs page.

    Thread Starter karin9nona

    (@karin9nona)

    Thanks for your reaction, nlpro!

    the url used is: https://www.mysite.be/xmlrpc.php

    and I think I found the solution in the meantime. I disabled XML-RPC by adding:

    ## block XML-RPC requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    </Files>

    in .htaccess. Seems to work, now I only have 404 detection notices any more.

    So basically you disabled XML-RPC in the WordPress Tweaks module.
    That should add the following entries to the .htaccess file:

    # Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC
<files xmlrpc.php>
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order allow,deny
		Deny from all
	</IfModule>
</files>

    As you can see there are 2 different syntaxes added. The exact Apache 2.x release will determin which of the 2 syntaxes will be used.

    Thread Starter karin9nona

    (@karin9nona)

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘hide backend but bots still find it?’ is closed to new replies.