How Can There Be Login Failures with .htaccess?

  • I have my /wp-admin folder protected with a .htaccess file and with a long/new password and username just created. Yet, I still get login failures in Wordfence? How is this possible if the /wp-admin folder is locked down with .htaccess? I am also using TFA for logins.

Viewing 2 replies - 1 through 2 (of 2 total)

  • WordPress has a file called xmrpc.php that is used for remote login. Attempts to log in via that protocol will also be recorded by Wordfence as login attempts. I’ll also add that it is not advisable to login protect wp-admin with htaccess since this breaks admin-ajax.php which is used on the front end by many themes and plugins.

    I’ve had good results with using plugin “Disable XML-RPC” as well as deleting the xml-rpc file from the my WordPress install, and repeating the deletion after every WordPress so-called “upgrade.”

    One less attack vector…

    MTN

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How Can There Be Login Failures with .htaccess?’ is closed to new replies.