Secure WP-Login.php

Are you using the WordPress default “admin” Administrator user account? All spambots and hackerbots try to Brute Force Login attack the WordPress default “admin” Administrator user account first. If you are using the default “admin” user account then create a new WordPress Administrator user account, log out of your site, login with that new Administrator user account and delete the default “admin” user account. IMPORTANT: Be sure to associate all Posts with your new Administrator user account or they will be deleted.

Things you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.
https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
https://forum.ait-pro.com/forums/topic/user-account-locked/
https://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/
https://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/

Thanks for the quick reply, but no I am not using the default account. I created my own. Clearly their scripts have found that one so I may create a new account. However, I’d like to block them from even being able to hit the wp-login.php without being challenged, like we can do with the wp-admin folder. Is that possible?

Are you the only person who logs into this site? Do you allow anyone to register, login and post comments on your site?

It’s pretty much just me. Occasionally I grant others access, but it’s rare. Comments are all done through Disqus.

Not sure if Disqus needs access to your login page or not so that could be a problem if you use this method/code below. Whitelisting/allowing only certain IP addresses to access your Login page by IP address means that only the IP addresses that you whitelist/allow will be able to view/access your Login page.

Source: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

# Protect wp-login.php from Brute Force Login Attacks based on IP Address
<FilesMatch "^(wp-login\.php)">
Order Allow,Deny
# Add your Public IP Address using 2 or 3 octets so that if/when
# your IP address changes it will still be in your subnet range. If you
# have a static IP address then use all 4 octets.
# Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
Allow from 65.100.50.
</FilesMatch>

Steps to add the IP based Login page protection code above to BPS Custom Code:
1. Add whichever Brute Force Login Protection Code you want to use in this BPS Root Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION:
2. Click the Save Root Custom Code button
3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode again.

Thanks! I’m sure this will work. Unfortunately, I am mobile a lot – often on the road. So I’d rather not leave it to whitelist. Is there no way to password protect wp-login.php?

Sorry if I am being difficult… ??

I understand what you are looking for, but technically wp-login.php is the password protection form to get into the wp-admin folder/WP Dashboard. In other words, they are one and same thing. ie you cannot get into wp-admin without first entering login credentials into the wp-login.php password protection form.

Have you tried the simplest method of creating an additional WordPress Administrator user account and ONLY using it for logging into your website and nothing else? That usually works to prevent that Admin account from ever being locked since that Admin account is not exposed or displayed publicly on the frontend of your website as long as you NEVER use that Admin account to post a comment or create a Post or Page.

A CAPTCHA usually stops most if not all automated bot login processing, but not all CAPTCHA’s/CAPTCHA plugins are effective. We use BPS Pro JTC Anti-Spam|Anti-Hacker, which is a CAPTCHA feature and some other things that is 100% effective at blocking 100% of all bots. So due to a conflict of interest I cannot recommend another CAPTCHA plugin for you to try.

Did this answer all of your questions? If so, please resolve this thread. If not, please post any additional questions you may have. Thanks.

Thread Start Date: 12-5-2015
Current Date: 12-9-2015

Assuming all questions have been answered – thread has been resolved. If you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.

Thread Start Date: 12-5-2015
Thread Resolved/Current Date: 12-10-2015