Support » Fixing WordPress » All these brute force attempts?

  • Since perhaps two months back, I have a huge number of brute force attempts at my site. It can number up to a thousand in a day. These comes in “waves”, that can last for up to a couple of hours.

    Of course, I don’t have “admin” or anything similar as login, none of the attempts have been even close to correct username. But still, this steals quite a lot of power from my site, naturally.
    I use “Better WP Security”, and have set quite strict policies for login attempts. But it doesn’t really matter since the attempts are being made from hundreds of different IP’s from (virtually) all around the world.

    As I am using the Android WP App, and as I am in need to login from various different locations with dynamic IP’s, I feel I don’t want to limit login to a single or a couple of IP’s either, sadly enough.

    Is there any way to make the situation better? I am using a quite cheap space for my site right now, and can’t afford a better one at the moment. So site performance is suffering during these attacks.

    And, when will WordPress ever set the possibility to change admin login URL, as is the case with for example Prestashop? Doing so now, will affect the compatibility of many plugins. There ought to be a way to finally change this. As it is right now, I feel this is the greatest flaw with WordPress. It needs to change.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    And, when will WordPress ever set the possibility to change admin login URL, as is the case with for example Prestashop?

    Never. WordPress doesn’t really go for ‘security by obscurity’ and moving wp-admin isn’t as beneficial as you’d think in this case, because the problem you’re faced with is less ‘OMG! Someone may break in!’ and more ‘OMG! A gazillion people are hammering my site causing performance to tank.’

    Step 1) Talk to your WebHost. I know personally that MANY hosts have stepped up to block this sort of behavior via their firewalls

    Step 2) See what you can implement from

    Step 3) Consider a .htaccess ‘behavior’ firewall:

    In exactly what way is is “beneficial” to keep it the way it is, seriously? If you have a tank, instead of trying to reinforce it with all sorts of non-conventional materials and procedures, why not take it out of sight and thus out of line of fire?

    Is there some sort of purpose in itself to keep the current login setup as it is? What would be “worse” about WordPress if the login path wasn’t known? That’s not a sarcastic question, it’s all seriously meant.

    To the rest of your answer:

    1. They are doing nothing.
    2. I have already implemented the suggestions that are convenient for me to use.
    3. So it’s less an “obscurity” to be dependent on an external “flexible blacklist that checks all URI requests against a series of carefully constructed HTAccess directives”, than to eliminate the main possibility to even perform these kinds of attacks? Sounds more like modern medicine “Oh he’s sick, give him these pills! To cover the symptoms!” instead of removing what makes someone sick.

    I don’t know why more people don’t just password protect wp-login. It’s one of the suggestions on the WordPess page and it’s worked beautifully for me. The only problem is – the directions on the page can be a little hard to follow.

    I wrote a blog post about my experience with Brute Force and I talk about the process to password protect wp-login. I tried blocking IPs and talking my host which help to slow down the attacks. But password protecting wp-login stopped everything. I’m not sure why more people aren’t doing it. Am I missing something?

    Guess the WordPress App wouldn’t wotk with password protecting the login(?). As I often spend like several days without actual access to a real computer, and seldom my own computer, I do need it.

    But in any case, I guess you can(‘t?) see the logic here. There would be no need for all these “Why don’t you just” – and all these suggestions, mostly regarding .htaccess. Why not just change the login-URL and/or rename wp-login.php, and problem is solved? Why would that be such a terrible thing to do? There are other platforms where you do, some even require that you do.

    Oh, are you using the app for a site? I’ve always used WordPress on my own hosting. I always login on a computer so I don’t have that issue. I don’t think you could even password protect wp-login on anyway. I’m not sure. I’ve never used

    I can’t answer your other question of why they don’t allow for changing wp-login name. Maybe they will eventually if people make enough fuss about it.

    webeminence: Nope, a “self hosted” site. What made you think so? I’ve never tried password protecting the login, but it’s a feeling I have, that it wouldn’t work with the app.
    In plain text, I am really fed up with having to “tweak” everything everywhere, all the time (just as if I had all the time in the world to spend on these boring matters). Most often just because the Open Source developers who’s mercy I/we are under, “thinks” something about everything. “Nah, we don’t like that. We don’t do security by obscuring things, we like to have you do twenty different tweaks, and install twelve different plugins to make it work properly”. 😉

    esmi: Yeah, I have no user id1, no admin (or vastly similar) username and +10 letter “secure password”. So there’s not even a chance in a million plain bruteforce would work, perhaps not even billion.

    I do have this way to rename login etc. through “Better WP Security”, but haven’t tried it since I read all about these plugins that will conflict with it. So my question is, why don’t future WordPress come with that feature directly in the installation/setup? Instead of all these plugin/.htaccess tweak/external blacklist inclusion stuff. It doesn’t make any sense at all.


    (@fierevere) team, ru_RU support & translation

    this botnet is dumb, they dont follow redirect’s,
    therefore using a 3xx code on /wp-login.php can confuse them and they stop brute-force, as well as any 4xx code (http auth for wp-login.php is a good way)

    simplest way to redirect is to use ssl for /wp-admin/ parts
    can use FORCE_SSL_ADMIN or FORCE_SSL_LOGIN (more info ), i got a better experience with wp-https plugin, no more brute-forcing.

    @mattyx I didn’t realize there was an app for self-hosted blogs. That’s why I thought you might be on Maybe you shouldn’t deal with feelings so much and just try logging in with the app 😉 I just tested the app and I was able to login. They give an option under Optional Settings for an HTTP username/password. Pretty thoughtful of the app developers. I wouldn’t have expected it.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    MattyX, with the tank analogy is this: if you armor your tank too much, it becomes unusable because its slow. Also if you change the design on the access panel on every new tank you make, you may forget where the door is from one to the next.

    There are a lot of reasons why WP doesn’t waste time in moving the wp-login page, and primarily it’s because security through obscurity doesn’t protect anyone. WordPress, being open source, means anyone can study the code and determine how WP would generate the new page, which just means they’d keep attacking you. You can google that if you’re inclined. Or read the comments here:

    If you’re trying to solve the problem of people trying to log in, there are plugins like Google Authenticator and so on.

    If you’re trying to solve the problem of WP being slow when the botnet hits it, then you’re looking at the wrong end of the problem. Add more memory to your servers, try using a proxy service, or harass the ISPs who are doing nothing to prevent the zombie PCs from accessing the Internet.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘All these brute force attempts?’ is closed to new replies.