If your Website is build on the WordPress CMS Platform (as it is one of the most popular CMS’s available) and have Wordfence installed you might have noticed unsuccessful Login Attempts with strange or non existent usernames.
A user with IP address xx.xx.xxx.xxx has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘administrator’ to try to sign in.
Most likely these are ‘Bots trying their luck getting into your admin area.
Here is a simple yet very effective way to minimize their chances of every getting your Username and Password right by simply renaming your’wp-login’ file.
IMPORTANT: THIS WILL NOT BE SUITABLE FOR WORDPRESS WEBSITES WHICH ALLOW USERS TO REGISTER (I.E.LOGIN). BUT IF YOUR WEBSITE DOES NOT NEED USERS TO REGISTER OR LOGIN AND YOU ARE THE ONLY ADMIN THIS CAN WORK FOR YOU.
1) rename wp-login.php to ‘xxxxxxx.php’ (where xxxxxxx is some text string you pick)
2) Edit the file (use a TEXT editor) and change all occurrences of the string ‘wp-login.php’ to the new name. You must do this or logins will fail!
Depending on the WordPress Version you are using this string will occur a few times in your wp-login file. In my particular instance (using latest WP Version it occurs at lines 332,476,499,536,592,594,627,695,706,723,824 and 9000(use the find and replace feature of notepad or notepad++)
3) add a line in your .htaccess file
RedirectMatch 301 ^/wp-login\.php$ https://yourdomain.com/wp-content/badbot-403.html
4) create a file ‘badbot-403.html with the following
<html xmlns="https://www.w3.org/1999/xhtml"> <head> <title> </title> <meta https-equiv="refresh" content="8;url=https://yourdomain.com/wp-content/badbot-warn.html" /> </head> <body> </body> </html>
the reason for this is the ‘8’ it delays 8 seconds before transfering to the next page – delaying a bot a little (every little bit helps) but not messing it up for any of my users that forget and use the wrong login file name
5) create another file ‘badbot-warn.html’ with
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head> <title>Please stop hacking</title> </head> <body> <br /><br /><br /><br /><br /><br /><br /> <br /><br /><br /><br /><br /><br /><br /> <div style="text-align: center;"> <span style="color: #000000; font-size: 24px;">Invalid Login Attempt </span></div> <br /><br /><br /><br /> <div style="text-align: center;"> <span style="color: #ff0000; font-size: 34px;">Your computer has attempted to login to this site.<br />Please stop hacking.</span></div> </html>
Now you have to use the name of what you changed wp-login.php to – for example:
If you changed ‘wp-login.php’ to ‘ha-try-and-find-this.php’ you would use ‘yourdomain.com/ha-try-and-find-this.php’ – you can not use ‘your domain.com/wp-admin’ because that calls wp-login.php and off to the warning you go.