Recently, attacks on WordPress with the goal of stealing passwords have become very frequent. Attackers are requesting access to the file wp-login.php, respectively, the simplest method of protection would be to deny them all access to this file.
There are several ways to do this:
1) Close the file .htaccess for all IP addresses
In the file .htaccess you need to write
<Files wp-login.php> order deny,allow deny from all allow from 220.127.116.11 </Files>
What it means:
<Files wp-login.php> – Rule for file wp-login.php order deny,allow – Defines the logic of work.
deny from all – Deny everyone to view files.
allow from 18.104.22.168 – Allow access to file wp-login.php for ip address 22.214.171.124
You need to replace the address 126.96.36.199 with your IP address, which can be found here: https://tuthost.ua/ip/ or https://2ip.ua
However, keep in mind that if your ISP does not give you a static address, then it will be constantly changing.
2) The second way is to rename the file wp-login.php
1. Rename the original wp-login.php to any other name, even to “4xqtbgkqs60.php”.
2. Then replace all the words wp-login.php with the new name, in our case 4xqtbgkqs60.php, in the file 4xqtbgkqs60.php (old wp-login.php) and in the file wp-includes/general-template.php.
3. The final step is to completely restrict access to the file wp-login.php in .htaccess:
<Files wp-login.php> Order Deny,Allow Deny from all </Files>
Lock access to a non-existent file wp-login.php is necessary because intruders will still be asking for it, and the engine will issue a 404 page (the file does not exist), which also creates a large load on the site.
Note, if you create a deny from all construct, make sure you have a 403.shtml file in the root of your site, if not, then create one. Otherwise, requests for error 403 will intercept wordpress and in this case the load on the site will not decrease.