Login Attemps with hidden admin URL

  • Resolved nielsvriesde

    (@nielsvriesde)


    3 years, 5 months ago

    Hello,

    We have a few sites that have a private/other URL for the /wp-admin.
    If we go to the FireWall section of WordFence we see also failed attemps from “other sources” How s that Possible if they don’t know the exact URL?
    Some sites use “WPS Hide Login”

    Can anyone explain how that is possible?

    Kind Regards

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @nielsvriesde and thanks for reaching out to us!

    Most automated login attempts will be done through XML-RPC or the WordPress REST API, therefore not requiring the front-end login page. Hiding the login page only slightly slows down somebody with malicious intent rather than stopping them. Our thoughts on obscuring the wp-login/wp-admin URL is discussed in this video: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/

    You can look into Rate Limiting or Brute Force Protection to help tighten up your rules regarding these sorts of attempts.

    The setting to disable XML-RPC authentication can be done by checking the “Disable XML-RPC authentication” box in Wordfence > Login Security > Settings. Manual attempts to access the XML-RPC file itself are common to be tried by attackers so you could add the following code to .htaccess if you are certain no plugins you use (such as Jetpack) require access:

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    Let me know if this helps!

    Thanks

Viewing 1 replies (of 1 total)
  • The topic ‘Login Attemps with hidden admin URL’ is closed to new replies.