Title: Brute force attack without wp-login.php file
Last modified: August 30, 2016

---

# Brute force attack without wp-login.php file

 *  [Giorgio](https://wordpress.org/support/users/superhub/)
 * (@superhub)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/brute-force-attack-without-wp-loginphp-file/)
 * Hello there, we have a site under brute-force attack since ten/fifteen days.
 * The site is fully updated and we installed Simple Security Firewall ([https://wordpress.org/plugins/wp-simple-firewall/](https://wordpress.org/plugins/wp-simple-firewall/))
   and Sucuri Security ([https://wordpress.org/plugins/sucuri-scanner/](https://wordpress.org/plugins/sucuri-scanner/)).
 * The login form should be protected by captcha and G.A.S.P. protection.
 * The permissions settings are strict (750 and 640).
 * Even when I delete the wp-login.php file the attack continues. How is this possible?
   Are they able to try to login thru a backdoor?
 * What can I do to further protect the site?
 * Here you have a notification of a login attempt:
 * Subject: Failed Login
    Login Info: Time: July 21, 2015 7:00 am Website Info: 
   Site: [http://XXXXX.XXX](http://XXXXX.XXX) IP Address: 173.245.53.154 Notification:
   User authentication failed: test User wrong password:
 * If you need more info just ask, thanks!

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [Giorgio](https://wordpress.org/support/users/superhub/)
 * (@superhub)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/brute-force-attack-without-wp-loginphp-file/#post-6348048)
 * I can add that the site’s server is behind a nginx reverse proxy and we suspect
   XSS injection.
 *  Thread Starter [Giorgio](https://wordpress.org/support/users/superhub/)
 * (@superhub)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/brute-force-attack-without-wp-loginphp-file/#post-6348050)
 * And the site runs behind CloudFlare!
 *  [leejosepho](https://wordpress.org/support/users/leejosepho/)
 * (@leejosepho)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/brute-force-attack-without-wp-loginphp-file/#post-6348060)
 * I know nothing about “nginx reverse proxy”, “XSS injection” or CloudFlare, but
   I do know deleting wp-login.php will not stop anyone from requesting it. You 
   might find some helpful info here:
    [https://wordpress.org/support/topic/wordpress-site-under-attack?replies=26](https://wordpress.org/support/topic/wordpress-site-under-attack?replies=26)

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Brute force attack without wp-login.php file’ is closed to new replies.

## Tags

 * [attack](https://wordpress.org/support/topic-tag/attack/)
 * [Brute](https://wordpress.org/support/topic-tag/brute/)
 * [force](https://wordpress.org/support/topic-tag/force/)
 * [form](https://wordpress.org/support/topic-tag/form/)
 * [login](https://wordpress.org/support/topic-tag/login/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 2 participants
 * Last reply from: [leejosepho](https://wordpress.org/support/users/leejosepho/)
 * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/brute-force-attack-without-wp-loginphp-file/#post-6348060)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics