Support » Plugin: iThemes Security (formerly Better WP Security) » I hid wp-admin but hackers are still finding it

Viewing 11 replies - 1 through 11 (of 11 total)
  • hlango, what you are reporting does not seem to be normal to me. It sounds like your site must be very enticing in one way or another: money, sex, drugs, SEO secrets, or ??? 😉

    From the way you wrote it, nobody has managed to get inside yet? Did you put a harder limit on wrong access attempts?

    Just as a matter of principle, I am allowing only three wrong attempts from the same user and also from the same host, and have a 10+ hour delay before they can try again. I also blacklist after being blocked only 3 times.

    I don’t have any addresses blacklisted yet, but I just raised the barrier about two weeks ago. My six sites with BWPS installed pull a total of over 200 unique visitors per day.

    I did not receive an email notice of your reply, that’s why it’s only now when I’m replying.

    Also, lol – no illegal things on any of my sites – I don’t even have any advertisements (since I do not like ads).

    I’ll try limiting number of wrong attempts. I didn’t even know I could do that. That’s very reassuring.



    One of the great feature of this plugin is to change the login slug (under menu > Security > Hide Backend).

    Unfortunately, many hackers have already found a way to skip this login barrier. This issue has discussed several times, but it seems the author still very busy has no time to fix it.

    You can read more info also a quick temporary fix here:

    I wonder if the fix mentioned at:

    – can be pulled off with the Redirection plugin.

    I will attempt later on.

    I was away – I now have a relatively large number (for me) of IP addresses and IP ranges blacklisted. What I do now is this: (1) if anybody gets blacklisted by BWPS, (2) then I put them on a manual list which I utilise in the manual blacklist box on all my websites with BWPS installed. (3) Also, I blacklist the entire range that shows up on, not just the individual IP addresses.

    It is a little kinky dealing with the way BWPS interprets the * wildcard character. You can get a better idea if you see what shows up on the list in the .htaccess file, and also what happens when you do the blocking on your hosting control panel.

    Still did not receive email notification of follow-up post.

    I wasn’t able to use Redirection to fix the problem, but (for some reason) the number of login attempts dropped down to practically 0 recently.



    It glad to hear the bad login attempts dropped.

    I wasn’t able to use Redirection to fix the problem.

    Please explain more, I’m interested to hear.

    BulgariaRealtor suggestion is good, I use such similar way (but more complicated). Here is good tool to check the IP:

    I tried to use Redirection to redirect loggedout=true to another URL. It didn’t work.

    I haven’t tried the htaccess fix. I prefer to not touch htaccess.

    Fortunately, the hackers kept trying with username “admin”. If I do see login attempts with the correct username, I’m going to try the htaccess fix.



    I tried to use Redirection to redirect loggedout=true to another URL. It didn’t work.

    How did you do it? Using a plugin? I ever tried to use plugin, and yes, not working too.

    Hackers are stupid, they only know “admin”. But it will be great if hackers never touch my sites. I won’t give them any chance not even waste my bandwidth.

    I use it to redirect old urls to new ones. It didn’t work with loggedout=true, unfortunately.



    If I’m not wrong, I ever tried it and some other redirection plugins. Because the way this Better WP Security works, other plugins are unable to redirect the login url. So perhaps the only way is to edit the .htaccess file manually.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘I hid wp-admin but hackers are still finding it’ is closed to new replies.