Questions about brute force attacks on the admin username, coming from amazon IP addresses

I’ve noticed this once myself (can’t remember if it was the same plugin). The captcha sat there, but just submitting the form didn’t trigger an error and worked perfectly, logging me in.

My #1 advise: use a plugin to rename wp-login.php to something else. It will effectively stop these bots (and delay an attacker that is specifically targeting you, but those are very rare), and you just tell your legitimate users about the new URL to use for login. Obviously, that won’t be an option if you have thousands of users, but for your average company site, it is.

You might also want to look into disabling XMLRPC and the REST API if you don’t use them, as they provide more attack surface.

Other than that, it sounds like you’re already set up quite well, and an active stance on security is always a great starting point.

Related Posts:

  1. I found this in a plugin. What does it do? is it dangerous?
  2. How Restrict access to admin dashboard by specific static ip?
  3. Weird problems after recovery from security breach
  4. 404 errors when updating options in admin dashboard
  5. Stop the user if login from the cookies
  6. Secure way to add JS Script to WordPress filesystem
  7. Remove ‘Check Compatibility’ from Plugins menu
  8. Malware installation during plugin update?
  9. Add menu page issues (permissions & position)
  10. Hack-Proof OR Security in WordPress — is it real?
  11. I should enable automatic updates?
  12. Network activating; if ( !current_user_can( ‘manage_options’ ) ) locks me out…
  13. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  14. Cannot access my wp-admin after installing Gzip compression [closed]
  15. Add sub menu page in your plugin
  16. Security and Must Use Plugins
  17. Is Timthumb still broken? What security measures should be taken?
  18. Prevent direct access to WordPress plugin assets?
  19. Plugin settings won’t save changes
  20. Is there any way to make myself an admin?
  21. Full list of registered scripts or styles, but from an admin options page
  22. How to make multiple admin pages for one plugin?
  23. $wpdb update query in plugin only updating one column
  24. Is it safe to use admin-ajax.php in the frontend?
  25. How to protect WordPress from security scanner [closed]
  26. Locked out of admin panel after installing HC Custom WP-Admin URL [closed]
  27. Specific way to allow WordPress users to view their current password? And edit it?
  28. How can i force wp-admin to use 2-column dashboard layout? [closed]
  29. Too many login attempts
  30. Odd /wp-admin/admin-ajax.php entries showing in Wassup
  31. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  32. How to prevent plugins from sniffing/stealing other plugins’ options?
  33. How can I modify page content in the admin panel?
  34. Display Plugin Panels Outside of Admin Areas
  35. How to display terms and conditions in post area?
  36. Website show Google Ads when we have no Google Ads linked to our website
  37. Is there a plugin for WordPress for creating ‘Accounts’ where all users who belong to that Account can only see Account data? [closed]
  38. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  39. Custom API plugin to execute 3rd party API to retrieve data
  40. How to deal with Slow HTTP POST (slowloris) vulnerability
  41. Running multiple security plugins
  42. how do I secure my WP website from hackers? [closed]
  43. WordPress Site is Broken, Cannot see wp-admin page [closed]
  44. Change the layout of action links under the plugin names
  45. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  46. getting notifications about updates only in the “core” page
  47. How to remove a CPT Menu from the Root Admin only
  48. Remove value from array within post meta ajax admin
  49. Is there a better way of handling AJAX requests in WordPress?
  50. Redirect Plugins.php to New Plugin Page
  51. Mowing site to another domain in simplest way
  52. Webservice credential storage [duplicate]
  53. Get access to WordPress when logged out
  54. Why are plugin settings not all nested in one place?
  55. Regarding plugin security
  56. Cannot access WP admin because plugin returns 204
  57. How do I determine if the user who registered is not spam?
  58. Install old version of plugin from admin panel?
  59. WordPress as heavily personalized content management portal, and somewhat like dropbox [closed]
  60. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  61. Is this plugin safe to run?
  62. Edit page header on a custom plugin
  63. Is the Block Bad Queries Plugin Still Relevant?
  64. I cannot include a file in my plugin settings page
  65. WP Insert Post If user refreshes override new post
  66. Error activating certain plugins
  67. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  68. Can’t save changes or modify settings in Dashboard but Pages and Posts are fine
  69. Hide plugins and theme from public
  70. WordPress search shows protected content
  71. Change Dashboard URL from wp-admin to wp-admin/index.php
  72. Trigger jQuery to add events after AJAX-loading table in admin plugin
  73. Security of a WordPress Plugin
  74. Can I disable xml-rpc by setting it to false?
  75. How can I disable new plugin and theme install, but allow updates?
  76. Elementor pro page editing gives error There has been a critical error on this website. Please check your site admin email inbox for instructions
  77. Help to Create a Simple Plugin to make a post
  78. how to move a plugin-block in Edit Post page back to bottom area?
  79. force logged in user to stay in the dashboard
  80. wp_post not working, keeps redirecting to posts page
  81. Validating ajax search
  82. WordPress fatal error from php protocol codes
  83. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  84. How can we get this dynamically as this folder may not be by the same name always → wp-admin
  85. Warning: call_user_func_array() expects parameter 1 to be a valid callback, function
  86. Can we hide a certain user in WP?
  87. Calling PHP function with AJAX
  88. WordPress disable direct access of files in WordPress installation path
  89. How to properly enqueue jQuery knob on WordPress without conflict?
  90. WordPress Dashboard add user password not working, etc
  91. Asking help regarding potential malware
  92. prevent anonymous access to WordPress site (non-admin site)
  93. Failed GET Request From admin.php To Fetch .min.js File From Unminifed Directory
  94. Add custom WordPress admin page with pretty url via code
  95. How to find where an image is used by it’s url
  96. Get full URL of WP plugin admin page
  97. Bing/msn bots is heavily requesting random of my website
  98. WordPress Admin login redirect to homepage
  99. “Fire Secure” menu item
  100. Securing a plugin pop-up window
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)