• Resolved amurigate

    (@amurigate)


    Hello,

    I recently changed my wp admin login URL, yet I still get consistent emails (and basically the same amount of emails) reporting that “User locked out from signing in”. And it doesn’t show any reference to my new admin login URL at all. So makes no sense at all to me. Doesn’t add up.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Anonymous User 17880307

    (@anonymized-17880307)

    xmlrpc.php is also relevant. Besides this, hiding / changing wp-login.php does not really help. Some of these plugins also leak / reveal the new URLs to attackers due to bad coding.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @amurigate,

    We use the WordPress functions admin_url() and network_admin_url() rather than hard-coding the path to your login for any emails sent from Wordfence, if that’s relevant to this case. It’s possible if you’re using a plugin to change the login path, that isn’t fixing it for when those functions are used. It might also be worth checking site paths that appear in WordPress’ Settings > General section.

    You could indeed try out the setting to disable XML-RPC authentication by checking the “Disable XML-RPC authentication” checkbox in Wordfence > Login Security > Settings to prevent authentication attempts being POSTed through that file. This may help go a long way towards what you’d like to achieve.

    However, manual attempts to access the XML-RPC file itself are commonly tried by attackers, so if you did want to add a total blanket block, you could also add the following code to your .htaccess file if you are certain no plugins you use (such as Jetpack or the WordPress app) require access:

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    </Files>

    Thanks,

    Peter.

    Thread Starter amurigate

    (@amurigate)

    Is there a way to check for sure that I don’t have any plugins requiring XML-RPC authentication before I use that code to disable it?

    P.S. No, I didn’t use any plugin to change login URL, changed manually.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @amurigate,

    We know for sure that Jetpack, the trackbacks and pingbacks functions of WordPress core and the WordPress app use XML-RPC, so if you don’t use any of those it’s probably safe to say you can disable it as required. Many customers do choose to do this and we rarely hear of issues.

    In fact, there’s no harm in blocking XML-RPC using the .htaccess code I provided above, then simply removing it again if you start to experience any problems with plugins or features you wish to use.

    Thanks again,

    Peter.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Why the messages?’ is closed to new replies.