Live Traffic hits on xmlrpc, wp-login, and 401.shtml – Help

  • I am seeing a hit almost every few minutes (almost all random international countries) in live traffic that show a few different page visits per hit with some variation of the following:

    mydomain.com/xmlrpc.php
    mydomain.com/wp-login
    mydomain.com/401.shtml
    (and then usually it shows the wp-login attempt again and then the 401.shtml one more time).

    Do you know how I can stop this? I was thinking of adding something like:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !.*example.com.* [NC]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteRule ^(.*)$ – [F]
    </IfModule>

    To the top of my .htaccess, would that help? Any suggestions?

    Also is Wordfence making them reach the 401.shtml page or is that for a different reason?

    I know my WordPress version is old (we are in the process of trying to update it) but in the meantime I wanted to figure out a fix.

    Thank you for your help.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi,
    First of all, this snippet you are asking about in “.htaccess” file should block access to “wp-admin” and “wp-login.php”, and I have two comments here:
    – It’s not recommended to block access to “wp-admin”, because some themes/plugins can make use of certain files there and blocking access to this directory may result in conflicts with these plugins/themes.
    – By blocking access to “wp-login.php”, you must guarantee another way to get you logged in your website, otherwise you will not be able to do that, I suggest either using this method, or just use any of wp-login rename plugins.

    Regarding XML-RPC, please read this article for more details about the consequences of blocking this file.

    In general, just adjusting the “Login Security Options” in the plugin should be enough to get rid of such brute force attack you have, finally, Wordfence doesn’t redirect to this “401.shtml” page.

    I hope that I’ve answered to all your questions, let me know if you still have any other question.

    Thanks.

    Thread Starter restalfep

    (@restalfep)

    Thank you for responding. I reviewed the “Login Security Options” and it seems all the default settings in Wordfence are sufficient according to that link. The issue is that the brute force attacks just continue non-stop every day. Is there anything that can be done to discourage these non-stop attempts or is this normal? It’s hundred a day, every day. Are there any settings I should change in Wordfence from the default?

    Thread Starter restalfep

    (@restalfep)

    Sorry, I realized I posted my response as a comment instead of a reply. Can you please let me know the answer to my response to your answer. Thank you.

    These are the two main options you may need to adjust:
    – “Lock out after how many login failures“: try to reduce this number.
    – “Count failures over what time period“: you should try increasing this time.

    By adjusting these two options values you should have a more powerful anti brute force protection, also I suggest enabling “Immediately lock out invalid usernames” option as it’s not enabled by default, but you should know that this option might block real users if they mistype their usernames.

    Thanks.

    • This reply was modified 7 years, 11 months ago by wfalaa.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Live Traffic hits on xmlrpc, wp-login, and 401.shtml – Help’ is closed to new replies.