Impossible to avoid login attempts from multiple ip addresses to my admin

  • Hello.

    I have several blogs, all of them are having brute force attempts. I have a captcha, it is useless.

    I have banned dozens of ip’s. Useless.

    They can’t log in, but they keep trying.

    I have read hundreds of pages trying to find a solution. What would be best is to change the wp-admin address. But it is very hard to do that.

    When you have a joomla, oscommerce, prestashop… first thing you do is to change the admin url.

    Why the hell wordpress don’t allow to do that???

    I’m even thinking of changing to another blog platform because of this.

    Thanks.

Viewing 5 replies - 31 through 35 (of 35 total)
  • Thread Starter pabloespejo

    (@pabloespejo)

    Does not work and is 100% not accepted by any reputable IT security professional.

    Can you explain to me why it does not work? It is another layer of security. We are not talking here about relying all protection in hidding a folder, but to add it to avoid bandwidth waste and extra security.

    If they don’t know the folder, they need to find it. If they find it (it won’t be easy if you put a good long name), you can change it. Eventually, make sense that they will go to an easier target.

    Thread Starter pabloespejo

    (@pabloespejo)

    Interesting reading: https://danielmiessler.com/study/security_and_obscurity/

    @jan – I will refrain from further discussion.

    I am an extreme case of an INTP and when I get into arguments over this kind of thing it is never fruitful. I have trouble staying civil when I believe someone else’s viewpoint is very wrong. But I am working on that.

    So for the sake of trying to keep peace I am going to bow out of the discussion in this thread.

    But my parting words are that logically, if an attacker does not what url to attack then it is impossible for them to attack that url.

    The failures of security by obscurity is when it is assumed an attacker can never defeat the obscurity and getting lazy with what was obscured rather than using obscurity to reduce attacks but assuming some will defeat the obscurity.

    e.g. plain text in the shadow file because it can only be read by root and thus is obscured would be relying solely upon obscurity and therefore flawed.

    But when the obscurity is an addition to existing measures that you would use w/o obscurity, how could it possibly be detrimental?

    https://packetpushers.net/obscurity-security-reality/

    An article by Russ White discussing obscurity and security.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    At this time, your choices are to use plugins or server based tools to protect yourself from ddos. WP has decided not to go the route of blocking wp-admin or security by obscurity. Unless that changes, this is a place we’ll have to agree to disagree.

    If they don’t know the folder, they need to find it. If they find it (it won’t be easy if you put a good long name), you can change it. Eventually, make sense that they will go to an easier target.

    Not really. Few people are hitting wp-admin. It’s usually xmlrpc.php or your plugins.

    Irony? Packetpushers is on WP ?? Also what he’s saying is that security via obscurity is a component of a complete security system and to that end he’s right. But at the end of the day, you still have to have a front door and every burglar knows where it is.

    I’m closing this topic since it’s walked past the place of fruitful discourse, and this is not a value judgement of anyone’s fundamental security beliefs.

Viewing 5 replies - 31 through 35 (of 35 total)
  • The topic ‘Impossible to avoid login attempts from multiple ip addresses to my admin’ is closed to new replies.