Hi @amurigate,
We use the WordPress functions admin_url()
and network_admin_url()
rather than hard-coding the path to your login for any emails sent from Wordfence, if that’s relevant to this case. It’s possible if you’re using a plugin to change the login path, that isn’t fixing it for when those functions are used. It might also be worth checking site paths that appear in WordPress’ Settings > General section.
You could indeed try out the setting to disable XML-RPC authentication by checking the “Disable XML-RPC authentication” checkbox in Wordfence > Login Security > Settings to prevent authentication attempts being POSTed through that file. This may help go a long way towards what you’d like to achieve.
However, manual attempts to access the XML-RPC file itself are commonly tried by attackers, so if you did want to add a total blanket block, you could also add the following code to your .htaccess file if you are certain no plugins you use (such as Jetpack or the WordPress app) require access:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Thanks,
Peter.