WordPress.org

Ready to get started?Download WordPress

Forums

Hide Login Path (3 posts)

  1. poijkl
    Member
    Posted 1 year ago #

    Hi,

    I've recently installed wordfence and I get email notifications when someone exceeds the number of login attempts and gets locked out. I thought I would rarely get this, but I've gotten 4 lock outs in the past 2 days. I block the ip's, but the ip's seem to be from foreign countries. Is this normal?

    Also, are there any plugins that'll let me hide wp-admin and wp-login to a different path? Or anything else you guys recommend to help me with this issue.

  2. leejosepho
    Member
    Posted 1 year ago #

    I block the ip's, but the ip's seem to be from foreign countries. Is this normal?

    Yes, and blocking a country for a while seems to send the hackers elsewhere.

    I believe there are things you could do in .htaccess to block access, but you would first want/need a dedicated IP to allow for yourself.

  3. bcworkz
    Member
    Posted 1 year ago #

    If you need random users to be able to login, effective IP blocking will depend on the distribution of your legitimate user base. Realistically, limited login attempts and lockouts combined with a really strong password is more than adequate defense.

    Even though I believe security by obscurity is an oxymoron, not having an 'admin' user has completely stymied all such hack attempts so far. Still, I believe hiding the login and admin paths is a wasted effort. In my experience, blocking a worldwide botnet has not yet resulted in the hacker controlling it going away. Going on 5 months now, he is still hammering away uselessly at my site. What a moron!

    If you only need access for a limited few, a dedicated IP is not necessarily required, though it makes things much easier. I personally have whitelisted the entire IP range allocated to my ISP using CIDR notation in .htaccess (Allow from 123.123.0.0/18 for example). Since no hackers so far use my ISP, the worldwide botnet is completely blocked even though I do not have a static IP, and yet I login without apparent restriction. If I do use a different ISP occasionally, it takes about a minute to temporarily add my current IP to the whitelist via FTP.

Topic Closed

This topic has been closed to new replies.

About this Topic