-
I'm guessing not but do you have anything like a WAF in front of the site that can limit access to only the IPs that need access to the login page?
I don't know much about WP but I presume it has its own way of limiting access to certain IPs. Can you lock it down further?
Another option is to move the login page to a different, non-standard URL (ie. not wp-admin or wp-login or whatever it is). That should get rid of a lot of bots.
-
How many login attempts to a wordpress website would be cause for concern?
Oooh... one of my favourite topics.
Sign up to Cloudflare and use a Firewall Rule to protect /wp-admin if not from a certain IP (your home IP).
Done.
But otherwise Wordpress sites normally see massive login attempts in two ways:
- Attempting to brute force the website
- Attempting to brute force any ssh access
The first you can solve with a firewall rule.
The second, install
fail2banand configure that... if more than a few SSH attempts fail to auth in quick succession the IP of the client can be banned automatically for some period of time. - Attempting to brute force the website
You are reading a single comment by @CYOA and its replies.
Click here to read the full conversation.
hippy
Velocio
@CYOA
How many login attempts to a wordpress website would be cause for concern?
I usually get about 10-20 per day. I use Limit Login Attempts Reloaded plugin on the site in question.
All attempts are usually in batches from a single IP which then gets blocked after x tries so I presume it's low effort automation rather than specifically being targeted. Anything I can do to ensure security? Password is pretty solid, though it's stored in Chrome. My Chrome password is also pretty solid as these things go and I keep an eye on where it's being accessed.