Yes, I use wordfence which is constantly reporting locked IP’s from all over the world telling me that they have been blocked for submitting an invalid username ‘admin’ or ‘other…’ and or other reasons such as failed attempts x times…
This I believe is due to the fact that the page is still essentially accessible and the form can still be accessed in an automated way.
Here’s what I have:
1) Clef is installed and I’ve disabled passwords and exclusively use the Clef login form.
2) Wordfence blocks IP’s if someone tries to log in with an invalid username or attempts unsuccessfully more than x amount of times.
3) I have my own redirect plugin I built that unless you type in exactly mysite.com/wp-login.php?something=somethingelse the visitor gets redirected to my home page. This is a bit different than the Clef override as the Clef override allows access to the original form whereas this attempts to keep people from accessing the login page altogether that don’t know the secret formula *evil grins*
However, this still doesn’t take into account automated hacker tools that will submit the default wp form upon visiting the “known” login url of every WP site /wp-login.php
Using other plugins that change the login url often fail because they break plugins like this, wordfence, etc. and they forget about the built in redirect that would take people to the new login url anyway.
The automated process happens so quick my redirect isn’t quick enough to catch so I still get tons of emails which also indicates the massive amount of hits I get all because I use the ever-popular WordPress CMS.
Taking this long write up even further, I suspect that many 21st century hackers have a mechanism for scraping sites that exist at a certain IP address probably from popular shared hosts like GoDaddy, HostGator etc. and maybe, just maybe, they will remove a domain from their regimen if the /wp-login.php url doesn’t exist. Of course I’m assuming and hoping these hackers also are trying to be efficient with their resources, I could be totally wrong.
I also know security through obscurity is not the greatest idea but if it appears one would have to do quite a bit of digging around to find the actual login form/url, rather than to always know the url it exists at (currently wp-login.php), that could minimize the massive amounts of hits we receive.
Can we remove the original form altogether and only reveal/provide that form when using the override url? What about changing the login url bypassing wordpress’s built in auto redirect from /wp-admin and /login for example?
This is a great topic and I’m surprised WP isn’t taking greater advances on the issue as it pertains to hacker “hits” we all must endure even though we know our site is secure. The other problem never seems to go away and *could* impact our hosting plans in regard to monthly bandwidth.
Also, yes I know w/ the upcoming 4.4 they are introducing two-factor auth but it still doesn’t deal with the amount of hits our sites are always getting…some of my sites are in the hundreds of hits per minute in just hack attempts.
