WordPress admin site login URL is /wp-login.php by default. It is known by all bots, hackers, and other spam software which can take brute force attacks on your website. If you find there are so many records ( ie: 220.127.116.11 – – [29/Nov/2020:00:20:53 -0700] “POST /wp-login.php HTTP/1.1” 200 ) in your website access log, it means your website is under attack by bots. This can cost a lot of your website bandwidth and slow down your web server.
There are two ways to fix such an issue. One is to install a third-party plugin ( for example WPS Hide Login ) to hide the default WordPress admin login page URL. But if you use this method, you have to remember another WordPress login page URL, and the bots request will arrive your webserver to give your web server so much spam requests pressure to slow down it’s performance.
We have another method to avoid such attacks without installing a plugin. In this method, the bots request will never arrive at your web server at all, so it can improve your website speed and performance largely. And the login page URL does not need to be changed also, you can remember it easily. Now I will tell you how to do it.
1. Use Cloudflare Firewall Free Rules To Avoid /wp-login.php /wp-admin Attacks.
- First, you should use Cloudflare CDN service to your website (Read article CloudFlare Plus SSL To Make Your WordPress Fast And Secure ).
- Login to Cloudflare admin console.
- Click the Firewall button at the top navigation bar, then click Firewall Rules link under the Firewall button.
- Create a new firewall rule by click Create a Firewall rule button.
- In the create new firewall rule page, enter Block bot request to /wp-login.php and /wp-admin in Rule name input text box.
- Add two incoming request match condition, one is Field( URI ) Operator( contains ) Value( /wp-login.php ), the other is Field( URI ) Operator( contains ) Value( /wp-admin ). The two incoming request conditions are Or relation.
- Select Challenge(Captcha) at the bottom Choose an action drop-down list. Click the Deploy button to deploy it.
- Now when a client request /wp-login.php or /wp-admin, it will prompt a Captcha window to verify that the client is a human, not a bot. All bots requests are stopped at the Cloudflare server and never arrive at your original web server. This can reduce your webserver pressure largely.