Would-Be Hackers Can Still Attempt Logins?

Hi,
You are correct, changing the login URL and blocking the default should make it invisible to the world. There are a few other things, you need to consider:
1) Ensure you also changed the default wp-admin URL. WordPress, when accessing the admin URL redirects to the login page, whichever that may be, customised or default.

2) Check your front side if there’s a login area. Even if you changed the URL, that also change on that area, so anyone else will see that and use it. If have no use for such a widget, try to remove it.

3) See if there’s an admin URL or admin AJAX outputted anywhere on your HTML. That reveals the admin URL which redirects to login page. ( see point #1 ).

Hope this helps.

Thanks

Hey,

So I’ve checked your points out.

1. I have a custom wp-admin URL (have had since setting up your plugin, after migrating from another)

2. I don’t have a login area. The *only* time there’s anything like it are password protected pages, but they aren’t public and I give the URL to a few friends – and only for 48 hours. Then it reverts to a normal blog post. So that wouldn’t account for login attempts outside this timeframe.

3. It looks like potentially the ajax thing is outputted via another plugin, so I’ll contact them directly.

Thanks for giving me a way forward, I appreciate it ??