One thing that consistently amuses me on the usually excellent WP support forum is the experts’ responses to questions about bad bot login attempts …
- “Don’t worry about it”
- “It’s normal”
- “I get way more malicious login attempts than that” – as if it were a badge of honor.
Bots constantly pound away at WP login pages – usually using ‘admin’ as username and a list of common passwords. These hacks are easy to thwart. Just use a non-obvious username and strong password. Problem solved, right? Well, kinda – with a strong password and a username other than ‘admin’, I won’t be hacked by this vector. But I refuse to accept my site being constantly under attack as somehow ‘normal’.
Obfuscating my login URL using a plugin like WPS Hide Login is a great solution. Bots can’t pound away at my login page if they can’t find it. Problem solved, right? Well, kinda – bots are kept off my login page but are still hitting my server and using resources to generate 404 pages.
Next step in the solution is to serve a simple 403 text string instead of a 404 page for login page attempts, by including this text in my .htaccess file:
# Serve a 403 text string not a 404 page for login attempts
ErrorDocument 403 "403: Sorry, not permitted."
RedirectMatch 403 (.*)wp-login\.php$
A text string is much less resource-intensive than a 404 page. Problem solved, right? Well, kinda – I would really rather keep bad login bots off my site completely.
Final step is to use Cloudflare page rules to block bad login bots at the reverse proxy level, before they even get to my server. Problem solved. Maybe not perfectly, but the best I know how to do.
