Title: Still have login attempts Last modified: August 30, 2016 --- # Still have login attempts * Resolved [mrsreeder](https://wordpress.org/support/users/mrsreeder/) * (@mrsreeder) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/) * Hello, * Like someone else posted here (without a proper answer). I have all login pages hidden and if the default login pages are accessed they properly give 404 errors. * How is Wordfence still logging login and forgotten password attempts? I am getting notifications of blocked IPs from logging in and I am not using the default url from the plugin. * [https://wordpress.org/plugins/wps-hide-login/](https://wordpress.org/plugins/wps-hide-login/) Viewing 15 replies - 1 through 15 (of 31 total) 1 [2](https://wordpress.org/support/topic/still-have-login-attempts/page/2/?output_format=md) [3](https://wordpress.org/support/topic/still-have-login-attempts/page/3/?output_format=md) [→](https://wordpress.org/support/topic/still-have-login-attempts/page/2/?output_format=md) * [Remy Perona](https://wordpress.org/support/users/tabrisrp/) * (@tabrisrp) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544396) * Hello, * Do you have a login url anywhere in your code ? In a form action for example * Thread Starter [mrsreeder](https://wordpress.org/support/users/mrsreeder/) * (@mrsreeder) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544450) * No I do not. Any forms used on any site I develop uses contact form 7. * [angelalgibson](https://wordpress.org/support/users/angelalgibson/) * (@angelalgibson) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544465) * I’m still waiting for help on this as well. I posted in the forums about this a few days ago… any love? * I am still getting notifications of attempted brute force attacks. * Please help~ * ~ Angela * [Remy Perona](https://wordpress.org/support/users/tabrisrp/) * (@tabrisrp) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544495) * Please provide me a link to your website so I can have a look * Thread Starter [mrsreeder](https://wordpress.org/support/users/mrsreeder/) * (@mrsreeder) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544519) * Can you provide an email address to send you the link? * [Frédéric Georges](https://wordpress.org/support/users/fgeorges/) * (@fgeorges) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544564) * Same problem for few days! * And I’ve found a link on my website to the “hidden” login page on the comment block. If I’m not connected the “You should be connected to leave a comment”( or something similar, my website is in french) contains a link to the hidden login page. * [Frédéric Georges](https://wordpress.org/support/users/fgeorges/) * (@fgeorges) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544608) * I’ve deactivated all the comments + change again the login page but I am still getting notifications of attempted brute force attacks! Don’t know where the get the link. My website: [http://www.prosdubatiment.com](http://www.prosdubatiment.com) * [sy2j](https://wordpress.org/support/users/sy2j/) * (@sy2j) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544634) * I’m having this problem too. It was fine when I started using this plugin (which I really like) but in the past couple of weeks Wordfence has been notifying me of loads of login attempts across several websites. I’ve checked what’s reported here and can’t find any login links on the websites. Any ideas appreciated! * [Siteturner](https://wordpress.org/support/users/diablothemes/) * (@diablothemes) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544638) * I was experiencing this too, and it turned out that the attacks were exploiting xmlrpc.php instead of targeting the actual login page. I solved it by adding this to htaccess: * ``` Order Allow,Deny deny from all ``` * Not a perfect solution if you have to use xmlrpc.php for some reason, but it has seemed to work and it wasn’t related to this plugin. * [sy2j](https://wordpress.org/support/users/sy2j/) * (@sy2j) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544643) * Siteturner, you’re spot on. I’ve just found this as the cause this morning too. Good job – hopefully this thread will help others. * [Frédéric Georges](https://wordpress.org/support/users/fgeorges/) * (@fgeorges) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544644) * Yes Siteturner, thank you very much! * Following your hint, I’ve tried 2 extensions: [https://wordpress.org/plugins/disable-xml-rpc/](https://wordpress.org/plugins/disable-xml-rpc/) which disable totally XML-RPC exactly like your solution. It is working: no more login attempts! * [https://wordpress.org/plugins/disable-xml-rpc-pingback/](https://wordpress.org/plugins/disable-xml-rpc-pingback/) which is supposed to disable only XML-RPC functions used by hackers. It’s not working! I still get login attempts. * [Remy Perona](https://wordpress.org/support/users/tabrisrp/) * (@tabrisrp) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/#post-6544651) * Good catch, I’m gonna sticky this topic so others can see it when searching for answer about this. * [angelalgibson](https://wordpress.org/support/users/angelalgibson/) * (@angelalgibson) * [10 years, 7 months ago](https://wordpress.org/support/topic/still-have-login-attempts/page/2/#post-6544654) * Siteturner, thank you for the tip! I’ve added the code you suggested to all my sites’ htaccess files. Hoping that is the end of this annoyance! * [deadparrotsoftware](https://wordpress.org/support/users/deadparrotsoftware/) * (@deadparrotsoftware) * [10 years, 6 months ago](https://wordpress.org/support/topic/still-have-login-attempts/page/2/#post-6544666) * XML-RPC on WordPress is actually an API. If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress. It is used heavily by phone Apps that interface with WordPress sites. You need a solution that both blocks the brute force attacks and does NOT require disabling XML-RPC. * Sid * [samhat](https://wordpress.org/support/users/samhat/) * (@samhat) * [10 years, 6 months ago](https://wordpress.org/support/topic/still-have-login-attempts/page/2/#post-6544674) * We have the same issue. The suggested solution won’t help since we use xml-rpc actively. Viewing 15 replies - 1 through 15 (of 31 total) 1 [2](https://wordpress.org/support/topic/still-have-login-attempts/page/2/?output_format=md) [3](https://wordpress.org/support/topic/still-have-login-attempts/page/3/?output_format=md) [→](https://wordpress.org/support/topic/still-have-login-attempts/page/2/?output_format=md) The topic ‘Still have login attempts’ is closed to new replies. * ![](https://ps.w.org/wps-hide-login/assets/icon-256x256.png?rev=1820667) * [WPS Hide Login](https://wordpress.org/plugins/wps-hide-login/) * [Frequently Asked Questions](https://wordpress.org/plugins/wps-hide-login/#faq) * [Support Threads](https://wordpress.org/support/plugin/wps-hide-login/) * [Active Topics](https://wordpress.org/support/plugin/wps-hide-login/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wps-hide-login/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wps-hide-login/reviews/) * 32 replies * 14 participants * Last reply from: [alzer](https://wordpress.org/support/users/alzer/) * Last activity: [9 years, 12 months ago](https://wordpress.org/support/topic/still-have-login-attempts/page/3/#post-6544718) * Status: resolved