Site Lockout Notifications – lots

Hi, check to see if you have the following enabled. Go to WP Security -> Firewall -> Basic Firewall Rules, locate the following Enable Pingback Protection:. Disable this option if it is enabled. Make sure you read the help information about this option by clicking on the More Info link next to this option.

No i do not have this option enabled.
I renamed my login page AGAIN and the notifications stopped for about 6 minutes and then started again.

How are they finding my custom login page URL?

Okay, try the other option in the Brute Force tab. Cookie Based Brute Force Login Prevention. Test to see if this feature works best for you. Can you also perform a scan on your site using the Scanner?

I have tried the cookie based option and turned it on. Still getting the notifications. I’m getting one every 3-5 minutes.
I had not run the scanner before so it’s done a scan to use for comparison.

I’ve just found that the wp-login.php page is visible. I am assuming this is the page they are using for this attack.
How do I block that page? OR are they using the login as part of the comments feature to do this?

Go to WP Security -> Filesystem Security and make all permissions are set up correctly.

Yes it is all setup and says no action required.

When you say

I’ve just found that the wp-login.php page is visible.

What exactly do you mean?

I have a custom URL for my WP console login which I did through the plugin but the wp-login.php page on my site is still the default URL and it has no captcha on it etc so I’m assuming this is the page that these login attempts are being made from.

The plugin allows me to create a custom URL for wp-admin but not for wp-login.php

I have just gone into FTP and renamed the wp-login.php page and I will see if the notifications cease.

I haven’t had any further notifications since renaming the wp-login.php page. So I am assuming that was the page they were trying to login using. How do I protect that page from brute force attack?

The plugin is set up to protect all important files through WP Security -> Filesystem Security and as long as all permissions are set up correctly.

I am not sure why your site was having that kind of issue. Do you have the latest WordPress version installed? Do you have the latest version of this plugin installed?

These are the files listed in the Filesystem Security and I cannot see which one would protect wp-login.php. All these are green and say No Action Required.

Root directory
wp-includes/
.htaccess
wp-admin/index.php
wp-admin/js/
wp-content/themes/
wp-contact/plugins/
wp-admin/
wp-content/
wp-config.php

Yes I am running WordPress 4.2.2 and the plugin version is v3.9.6

It seems as though by enabling the WP Settings > Brute Force > Login Form Captcha Settings option that it only enables a captcha on the wp-admin page and not the wp-login.php page.

If you enable any of the Brute Force naming options you should never have to type the following…

https://www.yoursite.com/wp-admin or https://www.yoursite.com/wp-login

Using the above features, your login would become https://www.yoursite.com/secretword.

Well I can go to the wp-login.php page URL and I have the brute force option on as recommended.