iThemes Security (formerly Better WP Security)
I cannot hide login page (5 posts)

  1. tamantit
    Posted 3 years ago #


    my web site is under brute force attack since October.
    Better-wp-security logs hundreds of failed login attemps every day.

    I'm trying to improve my web site security following the better-wp-security directions, so I did almost everything suggested but my site is still under attack.
    I suppose that the main issue is that I cannot hide the login page.

    - Hide backend options are ON
    - I changed the name of login, admin and register slugs
    - I modified my .htaccess file as suggested here (http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how)

    but I suppose that my login page is still visible to the hackers.

    Any suggestions?




  2. Handoko
    Posted 3 years ago #


    The modified .htaccess seems work correctly on my tests. Can you post your website address here? I would like to test to know is that rewrite rule working or not.

  3. Handoko
    Posted 3 years ago #

    Also, you might want to put a list of bad IPs in your Banned Users section.

    My website was under attacked by login attempts many times everyday. So I installed a plugin to view the visitors' IPs. After some months of careful analyzing the data, now I have a list of the bad IPs.

    By putting the list into the Banned Users, my website now never visited by brute force login attackers. You can get the list on this thread:

  4. tamantit
    Posted 3 years ago #


    My web site is http://www.nonsolopiccante.it

    I'm using also a huge ip address blacklist since attacker's ip addresses change everyday, but it doesn't solve my problem.

    thank you for your help!


  5. Handoko
    Posted 3 years ago #

    I tested your website by using this url:

    I received a 404 error (page not found), it means the trick works. If you still get bad login attempts, I may suggest you:

    Goto the Hide Backend section, change the Login Slug. Don't use "login" nor "user", that too common. But use something hard to guess like "mysecretlogin".

    Some hackers may already know your secretkey, so it is good to enable the Generate new secret key to let the plugin randomly change the key for you.

    But remember if you click the save changes, the plugin will revert back to its default value so you need to modify the .htaccess again.

    You may consider to use Bad Behavior plugin, it will stop many bad bots that accessing your website including the autologin who try to brute force login to your website.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic