I’ve changed my login url because we are getting a lot of spammy login attempts. It’s been over a week since I changed it and we’re still getting lots of login attempts.
I added the url to the list of pages that should not be cached.
Are there other ways to prevent these login attempts?
TIA!
Changing the login URL is a good practice, but it remains obfuscation.
wp-login.php still exists in the background, and bots can identify WordPress without relying on the visible URL.
To actually reduce login attempts, you need access control (WAF / Cerber, rate limiting, 2FA, IP restrictions).
Fully hiding WordPress is possible, but it’s highly technical and often leads to blocking issues.
Bots have evolved (and with AI it’s even worse): endpoints, REST API, XML-RPC, etc. are used to fingerprint WordPress.
A single plugin is not enough it requires custom code and accepting sometimes unpredictable behavior.
In short: this is custom work. Without strong development expertise, you can’t realistically go further.
As long as bots can identify WordPress during analysis, they will keep attacking. It’s that simple.
A security sentinel like Cerber can block them, slow them down, and allow you to blacklist their IPs.