can confirm that deleting your plugin resolves the high cpu usage but the attack resumes.
Thank you very much for your feedback.
Each time spam-bot sends brute-force request to wp-login.php – the full WordPress site is started. IMHO it is very poor design of WordPress architecture and it is impossible to solve with the plugin.
Limit-login attempts blocks brute-force requests from same IP but each time it runs whole WordPress site too.
Security-Protection blocks all brute-force requests too but it also sends fake cookies and fake redirect. Some brute-force attacks rely on this redirect and cookie and stops their attack.
Security-Protection blocks 100% of brute-force attacks and even stops some of them completely. It is its main benefit among other plugins. Security-Protection also consumes as much CPU resources as other plugins because whole WordPress is started every time. But sometimes Security-Protection consumes less CPU resources because some brute-force attacks are stopped.
спасибо. i will continue gambling without eating up resources. unfortunately, i have a dozen busy sites on that account.
damn attack is continuing and its into 25th hour.
You can rename wp-login.php to ‘wp-login-new.php’ for example.
But also replace ‘wp-login.php’ with ‘wp-login-new.php’ inside of the wp-login.php file.
And also put into ‘wp-login.php’ empty file for not starting whole WordPress with 404 error.
Just don’t forget that now you can login via this link – site.com/wp-login-new.php
I hope it will help.
PS: Appreciate your help. The attack has stopped.
Hello webvitaly,
what do you mean by this:
And also put into ‘wp-login.php’ empty file for not starting whole WordPress with 404 error
I have followed your other two steps, but cannot understand this last bit.
I am under attack on my wp-login and my site has been restricted by hostgator.
My CPU usage is enormous, they closed down my site basically immediately.
Any help is so much appreciated
@corrr001: If you will put an empty file called wp-login.php then whole WordPress core will not be executed after each brute-force request.
You will not be able to login to WordPress site, but you will reduce the load to your hosting.
Is that more clear to you?