Hello, I am having two issues - both seem related. Something is trying to access the login page repeatedly on my Wordpress site. I can see this using my Wordfence security plugin: http://cl.ly/image/1V3o3j0Y3R1t.
I've combed through the Wordfence security settings but nothing really seems to stop these from coming in. I even tried to use [[LINK href="http://www.redeo.nl/2010/03/iq-block-country-a-wordpress-plugin/"]]country blocking plugin[[/LINK]] to block all non-US IP's, but the activity I'm describing doesn't stop.
In addition, when I view the top processes within my WHM panel, I see a wp-admin/admin-ajax.php file is just getting crushed on several of the sites within the VPS, and taking up a very large portion of my VPS memory (which has plenty room and memory). http://cl.ly/image/1b2Z3g0f0k0d
I've contacted HG for help, and all they've told me to do is blacklist the IP's. The problem with this fix is that these IP's are coming in at random about every minute (at least from what I can see in the Wordfence area)
Does anyone have any suggestions on how I can fix these problems?
Here are some ideas:
- Don't use the <strong>admin</strong> username, use something else.
- Try to restrict the access to your <strong>wp-login.php</strong> and <strong>wp-admin/*</strong> with <em>.htpasswd</em>
- Try [[LINK href="http://www.cloudflare.com/"]]Cloudflare[[/LINK]], they have a free plan that will filter the traffic to your site through HoneyPot => blocking evil bots.
Kyle Hungate comments:
Hey Dbranes, thanks for the Cloudflare tip, the speed is already better after implementing however can you elaborate a little on your second point about restricting access? I've found a few blog posts on the web but not sure if they relate to what you are talking about.
Regarding the second tip, you restrict the access to <em>wp-login.php</em> and/or <em>wp-admin/*</em> with HTTP authentication.
You can try to add this into your <em>.htaccess</em> in the Wordpress root folder:
Deny from All
AuthName "Restricted Area"
where you place the <em>.htpasswd</em> file in a <strong>non-public</strong> directory.
The <em>.htpasswd</em> file contains the password (you can find many sources on the interent how to generate such a file)
To restrict your <em>/wp-admin/*</em> directory, you can add another <em>.htaccess</em> file into this folder. This file could include for example these lines:
AuthName "Restricted Area"
Hope this helps.
It looks like this plugin could be used for my second suggestion:
(but I haven't used it)
Gabriel Reguly answers:
Try this one: [[LINK href="http://wpmu.org/limit-access-to-the-wordpress-login-screen-to-specific-ip-addresses/"]]http://wpmu.org/limit-access-to-the-wordpress-login-screen-to-specific-ip-addresses/[[/LINK]]
Edit: I mean the "Block Access Except To Certain IP Addresses" part :-)
Gabriel Reguly comments:
From Matt: [[LINK href="http://ma.tt/2013/04/passwords-and-brute-force/"]]http://ma.tt/2013/04/passwords-and-brute-force/[[/LINK]]
Valentin Leyzaola answers:
i recommend to use Limit Login Attempts plugin (this plug in allows you to set how many times any user could try to access the admin, it block the exceded attempt ipaddress) and a captcha for login access