Web-D Securing WordPress - URL and Username for Login.

[Mountaili]

Due to encountering severe issues with brute force login attempts on my WordPress site, I have implemented suggestions from other forum users such as changing the login URL and restricting the login attempts through plugins like WPS Hide Login and Limited Login Attempts. While these changes have reduced the number of login attempts, a significant amount of attempts still occur. I have two inquiries:

1. How do bots discover the new URL so quickly, and are there any alternative plugins or solutions?
2. Despite having unique usernames, login attempts are being made to two of my WordPress sites using general, common usernames. How is this possible, and what can I do to improve security?

 

[SosaHelpful]

• Although I am unfamiliar with the functionality of WPS Hide Login, I personally prefer 'Hide My WP' as it effectively fulfills my requirements.
• One potential source of obtained usernames is through posting articles using that specific username. Bots and hackers can also gather usernames through user enumeration from sources like /wp-json/wp/v2/users, among others. This can be mitigated by using plugins such as 'Stop User Enumeration' to disable this feature. However, once a bot has acquired a username, they are likely to persistently attempt to exploit it.

 

[Starthe]

Thank you very much for your feedback. I truly appreciate it. I encourage you to try out the Hide My WP plugin. Additionally, considering your admission of posting articles under that username for at least one site, it's worth taking that into account. I also recommend exploring solutions to address the user enumeration concern. Best of luck with implementing these measures!