Support » Plugin: All In One WP Security & Firewall » Robots still try to login after renaming admin url

  • Resolved ërralb



    I change the login URL with your extension, but I keep getting robots trying to login and locking events, as if wp-login.php was still accessible.

    Could you help me with this?

    Kind regards,

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author wpsolutions


    Hi Pierre,
    It is likely that they are targeting your xmlrpc.php file and NOT the login page.
    Try disabling xmlrpc via the firewall rules and see if that makes a difference.

    Thanks I’ll try that and will let you know if it solved the problem.

    Hi again, sorry but this did not solve the problem.

    Just to be sure, here is a screenshot of how I configured it:

    I’m still getting locking events nearly every night…

    Plugin Author wpsolutions


    What happens when you try to access the xmlrpc file directly, ie, go to:

    What do you see?

    404: Not found

    You can view it for yourself! 🙂

    Plugin Author wpsolutions


    In your case since you have installed WordPress in a subdirectory you will find your xmlrpc.php is actually still accessible even though you have “disabled” xmlrpc in the aiowps settings.
    Unfortunately this is not working on your system because that feature is for Apache systems, but your web server is running NGINX.

    If you are not using xmlrpc.php on your site, you can solve this issue by manually adding the equivalent NGINX code which will deny access to the xmlrpc.php file. (there appears to be plenty of online resources which will show you how to do this)

    That’s what I was thinking from the beginning and why I tagged the support request with nginx.

    I will find out how to do it and post it here for documentation purpose.

    Thanks for your support!

    For nginx, add:

    location ~ /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Robots still try to login after renaming admin url’ is closed to new replies.