wp-login.php is NOT protected

Resolved dropshot
(@dropshot)

9 years, 8 months ago

This statement doesn’t seem to be true…

“it also prevents brute force attacks that are targeted specifically to wp-login.php”

wp-login.php is NOT protected

The wp-login page is not accessible but the login form is still attacked and Wordfence plugin is locking out 30 users every minute.

Is this right behaviour of the plugin or is something missing?

https://wordpress.org/plugins/rename-wp-login/

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author Ella
(@ellatrix)

9 years, 8 months ago

If wp-login.php is not accessible, how can the form be attacked? What page is the form on that’s being attacked? Do you have login forms on the front-end? If so, of course this plugin cannot help you preventing them.

Thread Starter dropshot
(@dropshot)

9 years, 8 months ago

That was my question. How can it be attacked? I don’t know.

I only have one login form on my site. That is the one on the renamed login-page. I was using the meta widget and noticed that the login page was accessible through that one. The login url in the widget was changed to the renamed page.

But even with the meta widget removed robots was still trying to login.

Wordfence doesn’t specify wich page is being attacked, just that it has locked out a user. And since 30 users were locked out every minute it must have been attacked by robots. Don’t know how robots works but it seems that they don’t need the url to try to login…

I finally stopped the attacks using “deny all” in my .htaccess and just allowing my ip. At that time more than 6000 users were locked out.

Plugin Author Ella
(@ellatrix)

9 years, 8 months ago

For which URL did you deny all with htaccess? Do you still have xmlrpc.php enabled? You can log in through that too, but that’s not the responsibility of this plugin, because it would disable external applications such as the WP mobile apps, Jetpack etc.
Thread Starter dropshot
(@dropshot)

9 years, 8 months ago
I use this
```
# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all
```
with x.x.x.x replaced by my ip of course

That stopped the attacks. But as you mentioned, other applications are disabled. So it’s not the best solution.

Sorry, but I don’t know what xmlrpc.php is.
Thread Starter dropshot
(@dropshot)

9 years, 8 months ago

Yep. Another site just got attacked. 2000 users locked out.

This plugin didn’t help, since it’s not the wp-login that is targeted.

I disabled xmlrpc in wp-config and it stopped.

Thanks a lot for pointing me in the right direction!

Plugin Author Ella
(@ellatrix)

9 years, 7 months ago

No problem. I might add this to the plugin description. I don’t think this plugin should disable xmlrpc, because, as I said, it will “cripple” other plugins and applications. It’s up to the user to disable it or not.

Craig1986
(@craig1986)

9 years, 6 months ago

Hi,

Firstly, many thanks for going to the effort of making this plugin to help provide an additional layer of protection.

Just one thing, whilst it protects wp-admin and wp-login, I have found that if you follow your URL with /login, ie http://www.example.com/login, you get redirected to whichever URL you have chosen to replace WordPress’ default login page.

Any chance of being able to update the plugin so that such a redirect does not occur?

Thanks once again.

Craig

jamkaret
(@jamkaret)

9 years, 6 months ago

Any follow-ups on Craig1986′ answer?

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘wp-login.php is NOT protected’ is closed to new replies.

Tags