renamed wp-login.php

Hello,

I think you can solve this issue by follow this.
1) Rename wp-login.php file to my-login.php name.
2) Open my-login.php file from your server, find the text “wp-login.php” and replace by “my-login.php” text.

3) Save, done.

Hope it helps.

I’ve done that in the past to hide the login but I’m not even concerned about logging in, it’s not a site I log in to very often so that’s why I just renamed the file with random string. I’ll just delete it for now and see what that does.

I’m wondering how I’m still getting WordFence emails about failed login attempts if they can’t even find the login file?

Probably because you can also use the URL website/wp-admin to login to WordPress, and about 30 million botters know that… if you’re obfuscating your site login, which I do myself and highly recommend, a quick and complete way to do it is use plugin WPS Hide Login. Hope that helps. MTN

If I go to wp-admin I get 404 page not found because I’m not logged in. It redirects to wp-login which is gone.

I’m not concerned about hiding the login I deleted it since I hardly ever log in to that site anyway.

My main curiosity is WordFence still emailing me about login attempts when there is no way to log in as far as I know.

Hi @wpstoneblue
These login requests could be initiated via XMLRPC, read more about attacks by XMLRPC here and here, then check this article to know if you can block access to XMLRPC or not.

Thanks.

Apologies for not reading the origin of this thread as carefully as I should have. Been so used to “hide wp-login.php” type posts I tend to fire off too fast. In my case, I do not use or need xmlrpc in fact I hate it for the time it takes to deal with. So I delete xmlprpc.php and place /xmlrpc.php in the Wordfence “Options/Immediately Block URLs.” I used to just block xmlrpc.php in my .htaccess file, but I’d rather use it as a honey pot that results in lengthy IP blocks implemented by Wordfence. In my case I set those blocks to 48 hours.

As for wp-login.php, sure, delete if not needed (I use WPS Hide Login plugin as we do need the login for our sites). I’m a big fan of deleting as many WordPress core files as possible as who knows what attack vectors will be discovered tomorrow (oh joy). For example, I delete wp-mail.php and wp-signup.php. One has to delete these sorts of things each time WordPress updates. I suppose one could set up a cron job to do this, but I’m in the site root enough anyway so I just do it manually.

A cool Wordfence feature, actually, would be a programatic audit of WordPress core that suggested core file elimination via checkboxes. Oh blasphemy!

MTN

• This reply was modified 6 years, 9 months ago by mountainguy2.

Awesome, @mountainguy2 & @wfalaa thank you so much.

Busy this week with clients and haven’t had time to look into it at all.