Admin Tools for WordPress

#40220 help with constant login attempts from different ip addresses

Posted in ‘Admin Tools for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
PHP version
Admin Tools version

Latest post by nicholas on Wednesday, 31 January 2024 00:40 CST




I am a long-time Akeeba user (originally on Joomla, now mostly on Wordpress). We host about a dozen WP sites. The site listed above is constantly being hit by admin login attempts (thousands over the last six months. About a month ago I set Admin Tools to block the ip address of any failed login. This has slowed the attempt down a bit but still get a hundred or so each day. I realize that these are all being blocked which is good (thank you Akeeba Admin) but wanted to know if you see this often and if there is anything additional I should do.




Neil Agate

Akeeba Staff

There is really not a lot you can do.

WordPress, unlike Joomla, always uses a single login for both the public frontend and administrator backend (wp-admin). While you can protect the wp-admin folder with a password, it will only prevent someone from accessing the administrator backend, not their attempt to log into your site.

You can use Admin Tools' Web Application Firewall feature to rename the login page. This means that visitors can no longer access /wp-login.php or /wp-admin directly; they have to go through your custom URL slug first. The URL slug is visible in the frontend wherever you have a login widget or login page. Yet, it is still very effective since the vast majority of bots try /wp-login.php directly, without trying to scrape your page for a custom login URL first.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!