Multiple login attempts on renamed login page

Hi, do you have one of the following features enable under WP Security -> Firewall -> Basic Firewall Rules -> WordPress XMLRPC & Pingback Vulnerability Protection?

Completely Block Access To XMLRPC:
Disable Pingback Functionality From XMLRPC:

Regards

Yes both are enabled.

Hi, you should only enable one or the other.

If you choose the following feature only.

Completely Block Access To XMLRPC:

What happens when you type the following URL in the browser?

yoursite.com/xmlrpc.php

I get a page not found message.

I get a page not found message.

That is good, that means that it is working correctly.

Do you have the following feature enabled?

Enable Login Lockdown Feature:

• This reply was modified 6 years, 4 months ago by mbrsolution.

Yes, I have this feature enabled.

Hi, do you also have the following features enabled?

Instantly Lockout Invalid Usernames:
Instantly Lockout Specific Usernames:

Are you allowing registration in your site via WordPress or a plugin? If it is via a plugin, is this a membership plugin?

Yes have lockout invalid usernames enabled.
No specific usernames set up to lock out.

Here are no registrations on the site or via any plugins other than subscribe to mail chimp list.

Are these lockouts coming from specific countries?

No specific usernames set up to lock out.

You might want to add the names you mentioned above in this field.

• This reply was modified 6 years, 4 months ago by mbrsolution.

Sorry but confused, I am assuming the lockout records are happening because the usernames are invalid so it’s locking them out first attempt. Therefore no point adding them into the instantly lockout box because they are already locked out as using an invalid username.
I’m confused why or how they are getting through and able to fill out the login page in the first place.

Hi,

I am assuming the lockout records are happening because the usernames are invalid so it’s locking them out first attempt.

Yes that is correct.

Therefore no point adding them into the instantly lockout box because they are already locked out as using an invalid username.

Yes but they are only locked out based on the time period you set out in the following field Time Length of Lockout (min):. Once that lock out period is over, that IP address will not be blocked out anymore.

I’m confused why or how they are getting through and able to fill out the login page in the first place.

There might be some setting or area in your site that is visible and our plugin cannot block or protect. However enabling all of the above options, this plugin will stop and protect the areas that the plugin controls.

You also mentioned above that you enabled Renamed Login Page under Brute Force. This means that no one will know the login URL. An example of the login URL is yoursite.com/secretword.

Let me know if you need more help or information.

Kind regards

• This reply was modified 6 years, 4 months ago by mbrsolution.
• This reply was modified 6 years, 4 months ago by mbrsolution.

I’ve permanently blocked the IP address at a server level so the lockouts have stopped.

There is no area within my site which would be providing access to any type of login so again not sure why this was happening. Blocking the IP address has stopped it for the moment.

Yes, my login page is renamed but if no one knows that login URL but me then wondering how these failed login attempts are occurring. I am assuming it’s just a script running looking to fill out forms but again, how is it finding my renamed login page.

Just unanswered questions at this stage which not sure I will get an answer to.

Hi,

I’ve permanently blocked the IP address at a server level so the lockouts have stopped.

I am happy to know.

There is no area within my site which would be providing access to any type of login so again not sure why this was happening. Blocking the IP address has stopped it for the moment.

I am not sure either without knowing more information about your current server and site set up.

Yes, my login page is renamed but if no one knows that login URL but me then wondering how these failed login attempts are occurring. I am assuming it’s just a script running looking to fill out forms but again, how is it finding my renamed login page.

They are not detecting your rename loing page URL. A lockout can also occur if someone tries to access one or both of the following URLs in your site.

yoursite.com/wp-admin.php or yoursite.com/wp-login.php.

Because these URLs don’t exist anymore. Anyone typing these urls will produce a lockout action by the plugin.

Just unanswered questions at this stage which not sure I will get an answer to.

I hope I have now answered all your questions.

Kind regards