Locked out login attempts

Did you also rename the login page, from /wp-login.php to something else? Logins can still be attempted there, even if wp-admin has been renamed.

If that was already done, Wordfence does also block attempts to log in through /xmlrpc.php, which is the method that blogging software and the WordPress app would use. We do see login attempts there fairly often, too.

If you know where to find your site’s access log file, you can search for the IP address above, to see the actual hit that caused the login attempt.

@wfmattr: I renamed the login page in WP Security, yes. Are you referring to a different method? As you can notice in the notification, the renamed login page is not reflected in the URL included in the notification. I’m not sure why that is the case.

@wfmattr:

I found this in the access log:
89.35.211.63 – – [15/Sep/2015:09:55:59 -0400] “POST /xmlrpc.php HTTP/1.1” 200 2077 “-” “-“

Not sure how to interpret that.

How do I block the attempts to use the xmlrpc.php? Is that under Advanced Options > Other Options > Immediately block IP’s that access these URLs: ?

And what URL would I put in there if that is the case?

I’ve been reading up on this and someone discussed using this in the .htaccess file:
RewriteRule ^xmlrpc.php$ “https://0.0.0.0/” [R=301,L]

Would that help to mitigate the problem?

Thanks for the additional details — I just wanted to make sure you had renamed both wp-admin and wp-login.php using the other plugin, because I wasn’t sure in your first post.

The log message does mean that it was an attempt to log in through xmlrpc.php. Wordfence is already blocking the login attempts like it does for normal logins, but you could block them directly in .htaccess too, if you want to. Most bots wouldn’t bother to follow the redirect in that RewriteRule line, but it would keep them from causing WordPress to load for each visit. If you don’t use the WordPress app or other blogging software to access the site, that should be safe to use if the line works on your server. (If it doesn’t work on your server, your site won’t load, but you can easily delete that line again.)

On second thought I’m not sure what exactly I’ve renamed.

WP Security lets me rename wp-login.php but I’m not sure about wp-admin. How would I know?

When I have the rename login page enabled, I get 404 error if I put in /wp-login.php or /wp-admin.php so I assume both have been renamed?

Yep, if you get a 404 when visiting /wp-login.php, that is definitely done. The wp-admin url is a directory (or folder), so you could test it by visiting yoursite.com/wp-admin/

A lot of plugins, including Wordfence, depend on wp-admin existing though, so if you haven’t renamed it, I wouldn’t recommend doing it. (Changing the login form is usually fine, but you might get some broken links from plugins that would direct you to the login form manually.)

Stopping visits from reaching xmlrpc.php should be ok too, as long as you don’t need to use the WordPress app or other software that depends on it, or trackbacks/pingbacks. It’s not really necessary to block it for security purposes, but might give a slight performance boost if the login attempts slow down your site.