Questions about brute force attacks on the admin username, coming from amazon IP addresses

I’ve noticed this once myself (can’t remember if it was the same plugin). The captcha sat there, but just submitting the form didn’t trigger an error and worked perfectly, logging me in.

My #1 advise: use a plugin to rename wp-login.php to something else. It will effectively stop these bots (and delay an attacker that is specifically targeting you, but those are very rare), and you just tell your legitimate users about the new URL to use for login. Obviously, that won’t be an option if you have thousands of users, but for your average company site, it is.

You might also want to look into disabling XMLRPC and the REST API if you don’t use them, as they provide more attack surface.

Other than that, it sounds like you’re already set up quite well, and an active stance on security is always a great starting point.

Related Posts:

  1. I found this in a plugin. What does it do? is it dangerous?
  2. How Restrict access to admin dashboard by specific static ip?
  3. Weird problems after recovery from security breach
  4. 404 errors when updating options in admin dashboard
  5. Stop the user if login from the cookies
  6. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  7. Are WordPress Plugins essential?
  8. What are the common security flaws I need to look for? [closed]
  9. How to Add a Third Level Sub Menu to the WordPress Admin Menu
  10. How to export comments in WordPress?
  11. Security and .htaccess
  12. Secure WordPress paid plugin
  13. How to make media upload private? [duplicate]
  14. WordPress Admin is displaying Not Available
  15. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  16. What does a security risk in a plugin look like?
  17. Add content to /wp-admin/plugin-install.php admin screens
  18. Plugin: How to make links in admin page open up inside of the admin panel
  19. WordPress Capabilities: edit_user vs edit_users
  20. How to check plugins for malicious code?
  21. How to properly secure my WordPress installation?
  22. How to remove/hide action links cluttering under specific plugins’ names
  23. Where should my plugin POST to?
  24. Adding Visibility Options
  25. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  26. Why users disable the WordPress update?
  27. Will WordPress username displayed somewhere in the site?
  28. Is revealing just the AUTH_KEY a security issue?
  29. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  30. How to expire all wordpress user passwords instantly?
  31. How could I execute my plugin just in frontend (not in backend)
  32. Can’t see login page after migration
  33. Custom height/width for thickbox in WP Backend
  34. How can I create a plugin installation link?
  35. Should you escape hardcoded URLs?
  36. Cannot access wp-admin after disabling all plugin
  37. Plugin upload to install
  38. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  39. Change the backend language of a single plugin
  40. How to delete Passwrd Protected posts cookies when a user logged out from the site
  41. Rotating background images with admin options
  42. Show an image in my header.php
  43. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  44. How to block plugin activations with no known user or coming from unknown IP address range?
  45. Check for security updates
  46. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  47. Facebook Messager Plugin
  48. Malicious File Upload [closed]
  49. Create tabs in admin options page from custom post type loop
  50. Malware installation during plugin update?
  51. Add menu page issues (permissions & position)
  52. I should enable automatic updates?
  53. Add sub menu page in your plugin
  54. Security and Must Use Plugins
  55. Is there any way to make myself an admin?
  56. Full list of registered scripts or styles, but from an admin options page
  57. How to protect WordPress from security scanner [closed]
  58. How can i force wp-admin to use 2-column dashboard layout? [closed]
  59. How can I modify page content in the admin panel?
  60. How to display terms and conditions in post area?
  61. Website show Google Ads when we have no Google Ads linked to our website
  62. Is there a plugin for WordPress for creating ‘Accounts’ where all users who belong to that Account can only see Account data? [closed]
  63. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  64. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  65. Remove value from array within post meta ajax admin
  66. Is there a better way of handling AJAX requests in WordPress?
  67. Get access to WordPress when logged out
  68. Regarding plugin security
  69. How do I determine if the user who registered is not spam?
  70. How can I disable new plugin and theme install, but allow updates?
  71. Validating ajax search
  72. Warning: call_user_func_array() expects parameter 1 to be a valid callback, function
  73. Can we hide a certain user in WP?
  74. WordPress disable direct access of files in WordPress installation path
  75. WordPress Dashboard add user password not working, etc
  76. Asking help regarding potential malware
  77. How to find where an image is used by it’s url
  78. Store admin page into variable
  79. Why does WordPress use cookies for /wp-admin and /wp-content/plugins for non-admin users [duplicate]
  80. Being hacked. Is there a list of WordPress security holes I can check against?
  81. wp_verify_nonce fails always
  82. Disable default posts (Posts,Pages,Comments and Media) in wp-admin
  83. How to add php stylesheet to admin section instead of admin_head hook
  84. Plugin (smart archives reloaded) crashed site / no access on admin panel
  85. Unwanted Links and Spam WordPress Pages and Posts
  86. How to activate/deactivate menu tab and keep the same id?
  87. Problem with permissions in wp-content/plugins
  88. Making plugin to use different table prefix cause permission problem
  89. Add custom fields in the new and edit the site forms without touching the WP core
  90. File permissions for wp-minify plugin
  91. What is the recommended way to be notified of security updates to my plugins? [closed]
  92. My WP site and password was hacked, what to do? [closed]
  93. Screen Options drop-down does not show
  94. How to resolve these findings from security audit
  95. plugin translations not reflected in admin dashboard
  96. How to rename files during upload to a random string?
  97. WordPress Plugin and other pages not opening
  98. warning wp session
  99. PHP FATAL ERROR
  100. /wp-admin/plugins.php takes ages to load, and then 404s
tech