Thanks for reaching out.
First, due to privacy and security concerns we do not do any support via social media. Since we do not control Facebook/Twitter/etc servers we can’t guarantee that any data there is protected or private or will be removed if you ask them to.
Second, changing the login URL is a feature we do not include in Wordfence. Though it is something that many people swear by and can help a little in certain situations it’s ultimately not very beneficial. These are the reasons why:
- Changing WordPress URLs involves a risk of breaking functionality of WordPress themes and plugins.
For example, WordPress JavaScript XMLHttpRequest object (AJAX) functions are triggered via admin-ajax.php which is located in wp-admin folder. Changing /wp-admin is a URL but it is also a folder path. We have seen plugins that change the admin URL break this functionality unintentionally, but it causes confusion as to what happened, what went wrong, and what was to blame..
- Changing the URL makes us feel more secure but it does not actually make the site more secure.
It is what many security analysts refer to as “security through obscurity”. It’s like boarding up the front door of your home to protect yourself against a burglary. Someone looking for a quick break in may be deterred, but any seasoned thief is just going to go look for another door or window to get in. Any serious attacker can and will anticipate this and look for other ways in too.
- Most all login attempts that are made on WordPress sites are made via xmlrpc.php. This is likely what is going on on your site.
Those will not be stopped by changing your admin URL. Our Wordfence Login Security and Wordfence plugins offer the option to block XMLRPC or at least require 2FA with authentication requests using XMLRPC on the Login Security > Settings page.
Additionally, if you change the wp-admin or wp-login URLs you also lose visibility on who is attempting to log in to your site and when they are doing it since we’re not looking for logins on a random URL that you created.
What we recommend as a basic means of reducing login attempts is to use Country Blocking (available in the Premium Wordfence plugin only) to restrict access to your login only to countries that you are yourself going to log in from. This will make login via wp-login.php and xmlrpc.php only available from your country. Or by using the Brute Force Protection settings and by blocking XMLRPC like I mentioned before. Also using the 2FA functionality we give you for free in Wordfence and Wordfence Login Security will greatly reduce the risk of a compromise.
Third, we have no record of any previous attempts you made to contact us. There are not other posts made from this account and we weren’t able to find any emails sent to us asking either. If you care to send the email address you sent your messages from, you can do so at wftest [at] wordfence [dot] com and I’ll look them up.
Lastly, please post some specific examples if you want so that we can see what you do. Since your video only has a screenshot of our home page and this post has no links to images most of the support we can give you is based on speculation. Right now, this question is kind of the equivalent of calling your auto mechanic and saying “My car is broke” and expecting an immediate diagnoses. If you want to send the examples, etc in with the email above feel free to do so.
I wait for your response.
Mia
