Is there any good reason NOT to block access to the login page to anyone with an amazonaws.com IP address?
People using a VPN hosted at AWS could have problems accessing your website.
I would check the access logs and count how many hits does your website have from the AWS network (before the attack started) and then decide if blocking that IP range is fine or not. There are also 3rd-party services, like web crawlers, that are hosted there. They may not be able to index your website if you block the entire IP list.
I don’t have an admin account with the name “admin” so someone is clearly just guessing
That is understandable. We used to have an option to allow the administrator to block any login attempt using an account that doesn’t exists. The option may still be available in the “Last Logins” page, but it has already been removed from our development repository and — if not released yet — will be gone in the next update of the code.
Other than the major search engines, why would I want a 3rd party service to crawl my site? If they are using amazonaws.com to obscure their origin, I don’t want them. In fact, I’m not sure I need access by anyone who needs to obscure their origin via VPN.
In general, I already block every country outside the Anglosphere (English-speaking nations, with 3 or 4 exceptions) because they rarely have legitimate cause to visit my sites. I could block entire continents and not fear losing anything. For instance, why would a Los Angeles pizzeria need visitor traffic from Estonia or Colombia or Rwanda?
Not all traffic is good or desirable.
why would a Los Angeles pizzeria need visitor traffic from […]
Fair enough, I guess blocking those addresses is fine in this specific case.
Let me know if I can help with anything else.
So is there a way to block traffic from amazonaws.com?
Unfortunately, the plugin doesn’t offers any option or tool to allow you to block HTTP requests coming from a specific source. This features are already implemented in our firewall (which is a paid service), to avoid duplication of code we have opted to leave these features out of the plugin.
However, you can use Fail2Ban — http://www.fail2ban.org/
Or a WordPress Firewall plugin (there are some free options out there).
