Around 50% of the bandwidth on a typical website, that’s not protected, is taken by suspicious and otherwise useless traffic. What you want to be doing is automating the reduction in this traffic, using plugins such as Wordfence, as well as your .htaccess file. Manually blocking individual IP numbers is whack-a-mole but should be done in the case of big persistent problems that Wordfence doesn’t take care of. Country blocking is very effective, use it if possible. The more sophisticated criminals bypass country blocking, but most are just looking for low hanging fruit and country blocking helps send those guys to other websites instead of yours.
As for wp-login.php specifically, immediately install a login obfuscation plugin, WPS Hide Login is used by many people in concert with Wordfence.
A big flaw in WordPress is the standardized login URL, which has become perhaps the most common attack vector on the internet. Patently ridiculous but it’s what we have to live with while the WordPress folks fiddle around with how the edit screen looks. Whoopeee.
Measures above will reduce your site bandwidth taken by criminals and other useless bandwidth stealers, but if a criminal wants to hack your site and they’re good enough at it, they may still get in there. In case of that, have a good system of backups.
(I’m a pro blogger, not associated with Wordfence.)
MTN
MTN
Really appreciate you taking the time for that lengthy bit of advice. I had to look up “wack-a-mole” but it fits perfectly.
I am protected from out of country login, but figure anyone trying to login into our site would be malevolent and should be banned, and if it’s from a country like Romania, not even near the ocean, which is central to our topic, I ban the network.
When I have the time to view Live-Traffic, big time violators get blocked. Looking at the traffic, geez, it’s a real battle going on. Shocked I am.
All the best from “Down Under”
Jack
If you have limited numbers of people logging in, and everyone is careful with entering passwords without typos, try setting the failed login blocking in Wordfence Options to be really strict. I use two or three tries then OUT. Of course in my case, using WPS Hide Login, this block doesn’t get triggered that often, but it’s there in case WPS Hide Login needs to be disabled for some reason. Also, once you get all your blocking tuned, try doing 48 hour blocks.
If you want to get really aggressive with country blocking, plugin IQ Block Country allows you to set up a separate set of blocks for the admin side vs the public side. That’s an incredibly useful feature and a flaw of Wordfence in not having it.
I use IQ Block Country along with Wordfence when I’m not using premium Wordfence. It works, but I prefer premium Wordfence. Well worth the money, and nice to send coin to the folks developing what is clearly a plugin that could actually change the world.
I have a very niche site as well, hence country blocking works well for me.
Be aware we’re not supposed to talk much about Wordfence Premium here. Which is strange but I guess charging money for good software is some kind of sin or something.
MTN
