Authorization attempts

Hi,

Do you mean the “Failed login reports”
Have you tried Whitelisting the IP’s in the Brute force section?
It sounds like your ISS webserver is not filtering the IP’s as it should do.

Yes, I meant it.
I tried to add IP to the white list, but it does not work. I suppose, due to the fact that I have an IIS web server and there is no .htaccess file. Instead, there is a web.config. I also assumed that brute-force goes through XML-RPC, but after disabling it, the attacks continued (checked with XML-RPC validator), for the same reason that this plugin function does not support working with the IIS web server.
Last idea: IIS blocks access only to the wp-admin address, but access via wp-login.php remains open. Completely deleted this file from the root of the site. After some time, I will return to the place, go to the plugin and look “Failed login reports”.

UPD: Won.

After deleting wp-login.php brute force continued.
After that, I assumed that the attack is using the XML-RPC method.
In addition to the steps in this article:
https://www.bluelightdev.com/wordpress-restrict-access
i also denied access to the xmlrpc.php file.
After that, for a whole day, not a single attempt to guess passwords.

Nevertheless, I have a wish to the developers – to add support for IIS web servers to the plugin in terms of access restrictions. Of all the other plugins that I have tried, none of them can interact with IIS.

Hi,

I will put a note on our internal board to look at this.
We are currently moving away from the writing rules in the .htaccess to make the plugin more accessible for those not using an apache server.

Hi. Thanks for feedback.
Keep in touch.