The website is under attack.

This is clearly the reality of the internet. Many random attempts at gaining access into any web server that is available/insecure/badly configured. As far as I can tell so far none of these attempts has actually succeeded.

First response I had was to limit the Login Attempts to 1 allowed try and 24 hours until reset. This worked well but actually restricted me from getting in a couple of times. I ended up with these settings to restrict the attack as much as possible without making it a pain if I got the password wrong.

I have always used a strong password to protect the site and even though this seems like a lot of attacks it would take centuries, maybe even millennia to luck upon the right password that these bot-nets are guessing.

To make it effectively impossible for these particular attacks to gain access I have added a plugin called WordFence to add Multi-Factor Authentication to the mix.

On top of this looking in the WPScan plug in it is telling me that the XML-RPC is enabled and this will significantly increase your site’s attack surface which means there are many more points of entry that the attackers can use to attempt access to the site.

The WPScan blog has a good post on this https://blog.wpscan.com/is-wordpress-xmlrpc-a-security-problem/

Unfortunately it’s not a simple fix especially if you want to fully shut it down which many of the usual plug-ins won’t do.

For now the plan is to find one of these plug-ins to close it down as much as possible until I can figure out how to fully disable XML-RPC.

Update 11/07/22

After a couple of efforts at inserting code to disable XML-RPC I have gone with the XML-RPC Security plug-in as a quick fix. Let’s see how the failed attempts fare after this.

Now the WPS Scan is clear.

Final Update 14/07/22

So the XML-RPC disable plug in has fixed the problem. Reducing the size of the attack surface available to web has made all the difference.