Pummelled WordPress Login Attempts, Limit Login Notices

I’ve got a few WordPress sites getting tons of attempts to login, a regular stream of notifications from the Limit Login plugins. I know I can turn off notifications as per this old thread but just am not liking having so much directed attempts.

These are in subdomain sites that were developed but never used, there are no links to them. I guess people can look up DNS records to find all subdomains?

I avoid “admin” user names, but often the login names they are trying are actual user names on the site.

I did quiet it on one site a few months ago by disabling XMP_RPC and using a plugin that moves the login URL as blogged

Just wondering if there is anythings else I can do, it’s just a dirty business these vermin are doing.


I’m interested in this.

It’s an alarming thing to get that first notification that your site is getting pummeled with nefarious traffic.

After reading Tom’s post, I wondered if I should add the plugin that disables WordPress XMP_RPC by default to new wordpress sites on DoOO. My perception is those features are almost never used, but are a vulnerability.

Yeah, it feels like opening a door and getting a waft of sewer smell.

That was actually my post :wink: and it worked like a charm- not sure if it was nuking XMP_RPC or the moving of the login URL , but they have been hitting other subdomains in the same host.

I was wondering if disabling XMP_RPC would prevent the WordPress app from connecting, I guess I will just have to find out by trying. If you find any other tricks, Ed, please chime in.

Ok, I have gone the plugin route for stoping XMP_RPC and confirmed this disables the WordPress app from being able to post. Not a killer for me, I have only one site I do this. This is the plugin I used

I also bumped the thresholds for Limit login as really anyone but me uses these sites, and I foirget my login, I should just take a break and go outside

Leaving the email notifications on in the Limit Logons plugin to test if it works

Yeah, my understanding is that turning off XML-RPC will break trackbacks / pingbacks, and the mobile app.

The main vulnerabilities I’m aware of with XML-RPC are DDoS and brute forcing logins. The logins part is precisely why you should use a Limit Login Attempts plugin on WP. Limit Login Attempts Reloaded does also block based on repeated XML-RPC login attempts.

The DDoS vulnerability is what you might expect. Basically, you can send sites a ton of pingbacks and bog the site or server down. We do see this on occasion, and have in the past temporarily blocked XML-RPC traffic for a site, or entire server, to allow load to come back down.

My main recommendation is to definitely use a Limit Login Attempts plugin, and stay on top of plugin and theme updates. For particularly important sites I’d also strongly suggest setting up a 2FA plugin, like Wordfence or other options.

Also @Ed_Beck If you want to turn off XML_RPC server wide, I do believe we can do that by request.

Thanks Taylor, this is helpful. I do have Limit Login Attempts everywhere (I think Reclaim outs this in all WP installs?). I thought about turning off notifications, but wondered if I might miss something.

Turning off XML-RPC has stopped them all. For these blogs, most are just test sites, and ones in development, I can live without pingbacks. I have another one where I prefer using the WP app, so I might stay with severe time settings on Limit Login Attempts.

These are all sites hosted on my wife’s reclaim account, its like they crawled domains, or maybe they comb through DNS records at Reclaim? One is form my own account, so.

Yes, we do by default install and enable the Limit Login Attempts Reloaded plugin (although that plugin realllly tries to upsell you now, which is annoying :man_shrugging: )

I’m not 100% sure how sites that aren’t linked to get discovered, but it does happen somewhat often. Definitely something I want to do more research into / learn about as it is a bit beyond me.

Well disabling XML RPC does not stop it, still happening on one site, now turning up the penalty hours way up.

I’ve read that it’s possible to find all domains and subdomains on a server from DNS records.

I’ve also noted that for attempts on sites with posts that they are using listed usernames to login (these are sites where users never edited profiles to creat display names) so they are extracting user names.