Question on WP Botnet

So I have been dealing with this botnet issue for awhile, and I used a script put on my VPS at Hostgator that asked for an extra login before getting to the wp-login.php page. I ran it for a week, took it down, got hit and server went down again. This happened quite a bit until I finally just left the script on. However, for my clients who run memberships sites or affiliate programs, this script is getting in the way. I looked at the Brute Force plugin, which is almost like an Askimet pool of Ips its building, but that doesnt stop the attempts and everyone says lockout plugins dont work.

So I have 2 questions:

  1. Would using a plugin like Better WP Securityor code like RewriteRule ^login$ [NC,L] to change the login url work?
  2. Or should I try this new plugin that just locks down more effectively?

I ask because I dont understand if the botnet only searches for the wp-login.php url or if it would be blocked by simply changing the url. Any advice would be much appreciated!!! :slight_smile:

Hi satori

My host uses the same extra layer of security - it’s a pain. However I found a way round it by using a plugin called ‘Theme My Login’. It uses a url other than wordpress/wp-login.php, e.g., and places the login page inside your theme. Seems to be working for me.

I also use WangGuard, which allows me to add a randomised security question to the registration page, among other useful stuff, and Wordfence Security which has a whole host of features.

According to my host, the brute force attacks are focused specifically on wp-login.php

Hope that helps


Ive heard of that before. Does it actually change the page location, not just redirect? What happens if you enter wp-login.php directly, does it throw a 404 or something?

wp-login.php is still there and can still be accessed. However, the bona fide user is never directed to that page, only to the ‘in-theme’ login page. If someone goes directly to wp-login.php then they will have to go through the extra security layer.

In that respect it’s not 100%, but at least your site never directs the user to wp-login.php.

Right now, I’m working from an ip address that has never been used to log in. When I try to go directly to wp-login.php, I see the extra security layer. Then if I use the login link on my web page, it goes straight to the login dialog.