Why cant we simply block any bot that tries to access wp-admin?

That simply will not work. Bot detection/determination is spotty at best, so a blanket blocking of perceived bots accessing backend pages will disable a good portion of valid traffic.

Also – manually blocking single IPs for hitting your site is a pointlessly endless game of whack-a-mole… a better strategy is to adopt broader rules to deflect unwanted traffic, including hiding the wp-login page using something like WPS Hide Login.

You can have fun playing around with this and block a lot of bots. It was easier in Wordfence Version 6 because you could click on the “Blocked” list and with a few more mouse clicks observe exactly how your blocking performed. But it can be done in Version 7 albeit be careful you don’t feel too much anger towards Wordfence for robbing us of some really nice functionality. I’m working on anger management 🙂

What you do, first you need a static IP address which you enter in the Wordfence Options page under “Whitelisted IP addresses that bypass all rules.” That’s in case something doesn’t work or gets changed… Staying on the Options page (the rest of the Wordfence UI is a confusing mess), go to the “Immediately block IPs that access these URLs” list and add something like the following. This both suffers from but also takes advantage of the fact the Wordfence will only block URLs that do NOT exist on your server, so you can play it fast and loose. A lot of bots probe for files that _might_ exist and are vulnerable. The following acts as a honey pot for those types of probes and thus blocks a heck of a lot of criminal bots. Get it working then set the blocking duration to a nice long 48 hours or more to keep the criminals at bay. Important: Test by using a VPN and browse to a few of your banned URLs while you’re not logged into WordPress, as well as pretending you’re a front end user, doing a few comments and such.

To check how this is working, in WF ver 7 you’ll need to first go to “Blocked” option in sidebar nav menu, find a blocked URL entry, copy IP address, go to “Live Traffic” and use the search option to find the IP, then click on “See Recent Traffic” on the Live Traffic listing.

Following could probably be done a lot better using more wildcards. I try to not spend too much time on it. We could also add some specific wp-admin file URLs, but adding wp-admin with wildcards doesn’t work in my testing, see end of this post.

/wp-login
/*/wp-login
/*/wp-login.php
/*/wp-login.php
/*/*/wp-login.php
/wp-login.php*
/login.html
/login
/author/*//wp-login.php
/author/*/wp-login.php
/author/*/wp-login.php*
/*/*login=go%21&H=
/*/*/*login=go%21&H=
/administrator/*
/administrator/index.php
/administrator
/administrator/
/*/administrator/*
/admin
/admin/
/admin.php
/adminzone

Sadly, one would think that also listing things such as
/wp-admin/*
/wp-admin/

would work, but my testing indicates this doesn’t work, probably due to plugins trying to access wp-admin files that don’t exist or some other problem.

In the end, Wordfence doesn’t like this kind of gaming, and it’s true the human cost of millions of us duplicating the same thing, that could be done programmatically by Wordfence, is huge. So I suspect Wordfence will eventually do a better job of bot filtering using this sort of honey pot functionality. But I’m not holding my breath. It seems to up to those of us in the trenches, sweating over our keyboards, to pick up the slack.

Hi @benjam23
The way human/bots detection was developed includes using of JavaScript codes to achieve that, there are some reasons that could result in false positive results for both types like (blocking JS at all in the browser, a JS conflict with another plugin or even a browser’s extension conflict, differences in running JS codes on desktop vs some mobile devices) all of that makes blocking bots access on your website has a chance of blocking some human hits as well, however I’ve forwarded your suggestion to the team.

Thanks.