Bogus wp-admin login attempts
-
Hello!
Is there a way to create a blocking rule in the free version of Wordfence to block bogus wp-admin login attempts? Should I be concerned if my site is getting hammered with these? Anything i can do to mitigate? Perhaps the best thing is that your wonderful plugin does block them — it’s just annoying!
Thanks!
-
Indeed, use complex user names and hard passwords. Set up an admin account with no published pages or posts, use that for admin, set all other accounts to lower permission levels. Remove password reset “feature” from WordPress login (google this).
Am assuming you’re already using available Wordfence features, see “All Options” and browser search that page for term “brute force protection” and work on settings for everything there, use strict settings.
Plugin WPS Hide Login gets rid of the annoyance of failed login attempts cluttering things up. It’s against Wordfence religion to use, but it works.
To be fair, using Wordfence brute force protection and allowing attackers to see the login can work nicely as a honey pot, with Wordfence set to long blocking periods for each attacker. You don’t get that if you obscure the login. But, Wordfence doesn’t provide much in the way of declutter options, such as extensive filtering of lists you get such as “Live Traffic” and “Blocking.” Thus, the use of an obfuscation plugin such as WPS Hide Login is quite nice — out of sight out of mind.
Other thoughts…, to be clear, no attackers are really “blocked,” they still hit your website or at least your host. The detail is this: At what stage of website access are they blocked, and for how long?” Issues with this: How much clutter do your methods create? Are you getting ongoing blocking of one attacker at a basic level (before they see anything)? How much bandwidth does your chosen blocking method require?
MTN
The topic ‘Bogus wp-admin login attempts’ is closed to new replies.
