Limit access to wp-login.php (Feature Request)

  • AJD

    (@ajd)


    11 years, 8 months ago

    I am currently experiencing a brute force attack that is originating from a different IP every 2-10 seconds. It is trying to log in as admin, which I have set as a username to be instantly blocked. Since the IP address changes every time, this is not slowing the attack. Country blocking won’t help because it would land up blocking everyone.

    I would like to limit access to wp-login.php, for example by white-listing only my specific IP, and black-listing everything else.

    I have tried this via .htaccess in the root like this:

    <Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from my.ip.add.ress
</Files>

    Sadly this doesn’t seem to be working. I’m still seeing a new login attempt every few seconds via the life traffic panel.

    It would be great if this sort of action could be done from within Wordfence. Or perhaps there is a different solution for this sort of attack.

    Thanks!

    https://wordpress.org/plugins/wordfence/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter AJD

    (@ajd)

    11 years, 8 months ago

    As an update.

    This did not stop the attack,

    adding to htaccess:

    <files wp-admin.php>
order deny,allow
deny from all
allow from my.ip.add.ress
</files>

    Also I tried deleting wp-login.php, but still am getting notifications from Life Traffic:

    Kennesaw, United States attempted a failed login using an invalid username “admin”.
    IP: 66.56.51.99 [block]
    Hostname: c-66-56-51-99.hsd1.ga.comcast.net
    5 seconds ago

    I’m not sure how that is possible…

    Thread Starter AJD

    (@ajd)

    11 years, 8 months ago

    They weren’t accessing wp-login.php at all because this stopped the attack:

    <Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

    Sadly this will also stop all trackbacks and pingbacks.

    I don’t know enough to fully understand how xmlrpc.php can be used in a login attempt.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Limit access to wp-login.php (Feature Request)’ is closed to new replies.