Moderator
James Huff
(@macmanx)
Volunteer Moderator
Don’t worry about it, honestly, it sounds like you already have something keeping them out. If anything, maybe turn off those notifications. It’s just telling you that they didn’t get in, which really isn’t all that helpful in the long run. A bit like worrying every time someone walks by your front door. They don’t have the key, they aren’t getting in. 😉
It is very unlikely that you’re being targeted in any way. There are bots out there which look for common login URLs (like /wp-login.php ) and then try common weak username/password combinations. Like comment spam bots, they basically comb the web at random, report if/when/how they get in, and are just a fact of life with regards to having a public web site.
My top 2 sites have accumulated 63,640 blocked login attempts in the past 2 years alone, it’s just something that happens. Almost 12 years online with strong passwords, and no one has gotten in yet. As long as you use a strong password and have something to block them, you have nothing to worry about.
It’s possible your being targeted by a bot script attempting to validate a login for future attacks.
One trick you can use is to place a .htaccess rule challenging connections (known as Password Protected Directories) to the wp-admin portal. This does mean a few extra clicks for legitimate users but would drastically reduce both the attempted logins/alerts but also server resources.
<Files wp-login.php>
AuthType basic
AuthName "WordPress attack protection CAPTCHA. Enter username: {RANDOM STRING} Password: The result of math {MATH QUESTION}"
AuthBasicProvider file
AuthUserFile {PATH TO .htpasswd}
Require valid-user
</Files>
Your need to configure a few sections inside the {}’s but its fairly straight forward. Your host should also be able to help configure it, or may be built into your control panel.
Alternative to the above, or even as an added protection check out the WordPress plugin “Limit Login Attempts”.
