I found the pitfall, it is this file: xmlrpc.php
Read here how to disable it: What Is xmlrpc.php in WordPress and Why You Should Disable It (hostinger.com)
add this to .htaccess:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
What are the “regular WP authorization hooks”?
I have deleted login.php in the root but still i get multiple warnings (emails). So my question is the same as sme9: Where does it measure?
(To make it clear, I restore the file login.php when I want to login, after I write a new post, I again delete the file login.php, plus I have .htaccess in the folder wp-admin which deny all ip-addresses except for the ip-address I have at that moment when I want to login and then I even remove that ip-address from the .htaccess).
