Ask your WordPress questions! Pay money and get answers fast! (more info)

Wordpress Security Questions

Hello, I am having two issues - both seem related. Something is trying to access the login page repeatedly on my Wordpress site. I can see this using my Wordfence security plugin:

I've combed through the Wordfence security settings but nothing really seems to stop these from coming in. I even tried to use [[LINK href=""]]country blocking plugin[[/LINK]] to block all non-US IP's, but the activity I'm describing doesn't stop.

In addition, when I view the top processes within my WHM panel, I see a wp-admin/admin-ajax.php file is just getting crushed on several of the sites within the VPS, and taking up a very large portion of my VPS memory (which has plenty room and memory).

I've contacted HG for help, and all they've told me to do is blacklist the IP's. The problem with this fix is that these IP's are coming in at random about every minute (at least from what I can see in the Wordfence area)

Does anyone have any suggestions on how I can fix these problems?

Answers (3)


Dbranes answers:

Here are some ideas:

- Don't use the <strong>admin</strong> username, use something else.

- Try to restrict the access to your <strong>wp-login.php</strong> and <strong>wp-admin/*</strong> with <em>.htpasswd</em>

- Try [[LINK href=""]]Cloudflare[[/LINK]], they have a free plan that will filter the traffic to your site through HoneyPot => blocking evil bots.

Kyle Hungate comments:

Hey Dbranes, thanks for the Cloudflare tip, the speed is already better after implementing however can you elaborate a little on your second point about restricting access? I've found a few blog posts on the web but not sure if they relate to what you are talking about.


Dbranes comments:

Regarding the second tip, you restrict the access to <em>wp-login.php</em> and/or <em>wp-admin/*</em> with HTTP authentication.

You can try to add this into your <em>.htaccess</em> in the Wordpress root folder:

<Files wp-login.php>
Order Deny,Allow
Deny from All
Satisfy Any
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/not/in/public/html/.htpasswd
require valid-user

where you place the <em>.htpasswd</em> file in a <strong>non-public</strong> directory.

The <em>.htpasswd</em> file contains the password (you can find many sources on the interent how to generate such a file)

To restrict your <em>/wp-admin/*</em> directory, you can add another <em>.htaccess</em> file into this folder. This file could include for example these lines:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/not/in/public/html/.htpasswd
require valid-user

Hope this helps.

Dbranes comments:

It looks like this plugin could be used for my second suggestion:

[[LINK href=""]][[/LINK]]

(but I haven't used it)


Gabriel Reguly answers:


Try this one: [[LINK href=""]][[/LINK]]

Edit: I mean the "Block Access Except To Certain IP Addresses" part :-)


Gabriel Reguly comments:

From Matt: [[LINK href=""]][[/LINK]]


Valentin Leyzaola answers:

i recommend to use Limit Login Attempts plugin (this plug in allows you to set how many times any user could try to access the admin, it block the exceded attempt ipaddress) and a captcha for login access