In the spirit of Tom’s short tech notes to oneself…
I archived a WordPress site I made a few years back for Cori’s high schools students to do some (anonymous) online writing. The site is really just to keep as an archive (and honestly it would be better to convert to static HTML, put that on my list).
But it gets hammered for some reason by login attempts, all stopped by the Limit Logins Reloaded plugin. They cant do anything since all the user accounts have been set to subscriber. I just wondered what else I can do to cut them off before trying- I am sure there are w variety of Other Things One Can Do, so I just spent a little time poking around the webz.
The first suggestion was disablinbg XMP_RPC which whatever it is enabloes login from other devices, services. This weas an easy add to the custom child theme’s functions.php template:
add_filter( 'xmlrpc_enabled', '__return_false' );
The other suggestion was to install the WPS Hide Login plugin which redirects all attempts to use standard WordPress login URLs, and all non-logged in efforts to hit wp-admin (used the default redirect to 404). It then allows me to create a super secret, non standard URL to access the WordPress login.
I’m just curious if this cuts down the activity more, but really I should just archive it fully as a static HTML and that means a STOP to all the annoying efforts.
It is illustrative to witness, at a much smaller scale than what your humble network managers see every minute, how much traffic there is in these cracking efforts.
If anyone has better or working solutions, my ears are all open.
Featured Image: Mine. Who needs AI generators when I got 76000 photos? Somebody STOP: flickr photo by cogdogblog shared into the public domain using Creative Commons Public Domain Dedication (CC0)
I’ve got one of those too that I need to lock down. I do get tired of the limit login emails. I like this as an answer.
If this doesn’t work, let me know and I’ll try a plugin that changes the login URL. I have a feeling that will work but I prefer the idea of minimal action.
If you have experience with httrack, I have questions about archiving sub-sites on a wpms with subdirectories.
Well you can shut off the limit login emails but they are still hammering a dead site.
So far, it’s quiet. The change login plugin worked like a champ, the key is not forgetting the url, but guess you could delete plugin from ftp or poke around the settings in the database.
Hah I have not done advanced httrack slurping, I think last time I used that site sucker Mac app.
We used the change login plugin with a team site a couple years ago which worked well. I also ran fail2ban on the server itself which just straight rejected IP addresses if they tried to log in too much.
Thanks, I know that one does a lot of work too on the busy OpenEtC multisite
I use a .htaccess file limiting access to wp-login.php:
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /Path/To/AuthFile
require valid-user
If you don’t have a lot of people using the installation, this works well.
And WP comments ate the greater than/less than characters. 🙂 Let’s try that again:
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /Path/To/AuthFile
require valid-user
</FilesMatch>
That’s good too, thanks Ryan. Might try with the rerouted one I have set up, it’s like another steel door for Maxwell Smart.