I have limited access to my wordpress login page by adding the following .htaccess file to the wp-admin directory:
## due to brute force attacks, limiting access to specific ips
order deny,allow
deny from all
allow from 24.xxx.xxx.xxx 66.xxx.xxx.xxx
I have had this in place for a day or three now and thought it was working. But today I got a notice from our security plugin that this site has had several failed login attempts. The failed login attempts were from an IP similar to this:
200.199.xxx.xxx
I am xing out the IPs for security measures, but wanted to give you an idea of the IP families that I am allowing vs. seeing attempting login.
So how would it be possible for a bot or person to be able to even arrive at the login page with this type of blocking in place?
So how would it be possible for a bot or person to be able to even arrive at the login page with this type of blocking in place?
No one needs to go to any “pages” to send requests to your server; they don’t even need to use a “browser.”
Any client that speaks HTTP can send whatever requests it wants to your site.
But today I got a notice from our security plugin that this site has had several failed login attempts
The login form sends the data directly to /wp-login.php - that is not even in the /wp-admin/ folder that you blocked access to.
/wp-login.php handles the complete login process, and only redirects to /wp-admin/ afterwards.
The failed login attempts you see in your logs come from /wp-login.php