HTACCESS blocking wp-admin and login.php yes still accessed

In my experience, the plugin WP Hide Login cleans things up quite nicely, perhaps give it a shot along with what you’re doing? That said, it’s indeed weird that you have things set up in .htaccess and it tests out, but, if you get a 404 perhaps that means the Wordfence WAF is still “seeing” that traffic and it needs to be blocked a bit differently in the .htaccess? Interesting, I’ll watch this space, thanks for bringing up a good subject. MTN

@mountainguy2 ,

if you get a 404 perhaps that means the Wordfence WAF is still “seeing” that traffic and it needs to be blocked a bit differently in the .htaccess

Odd things to think about
1) When I test with a VPN I get the “IP tried to access a none-existant file” in the live traffic tab in WF
2) It actually says in the email “Used an invalid username ‘XXXXXX’ to try to sign in.”
3) One more odd thing, in my htaccess I wrote 403, yet when I try to access I get a 404.

Hmmmmmm

Re your 403 to 404 problem, look very carefully at your .htaccess for redirects, also check for other .htaccess files that might be located in your server directory tree. In my case, I’ve got a very helpful ISP and they often quickly solve problems like this, perhaps that’s worth a shot for you.

BTW, as I’ve seen suggested before here on this forum, so long as you have strong passwords for your WP admin logins, brute force login attacks are just an annoyance. For peace of mind, we also have special admin accounts that are never made public, all other user accounts are set to very low permission levels. Our admin accounts have usernames that are impossible to guess. We combine that with WP Hide Login and we have peace of mind.

But, I’m always wondering if it would be better to let the criminals go ahead and get blocked by Wordfence, simply because I have no idea which option uses less bandwidth:
Option one, “block” using .htaccess and/or WP Hide Login.
Option two, let them hit the login screen but get blocked by Wordfence.

I’d sure like to see something definitive from Wordfence about this, perhaps a blog post? The question: How to deal with login brute forcing in a way that uses the least server bandwidth.

Hi,

If admins are lookign at this thread: as of 2017-09-23 10:25 PM (EST) it seems that the attempts to login stopped. Approximately 24 hours after I put the rules in place.

Still odd that the HTACCESS rules were somehow superseceded, but i am not an Apache expert, so perhaps you have some ideas.

All the best
Daveed

Hello Daveed,

Wordfence already provides “Login Security Options” which you can adjust on the Wordfence “Options” page. Our recommended settings are in the link below:

Login Security Options

You don’t want to block access to the “wp-admin” directory. Please read the article below from our blog to understand why:

Why you don’t want to block access to the wp-admin directory

Thank you.