How am I still seeing failed login attempts when denying all access to wp-admin?

I have limited access to my wordpress login page by adding the following .htaccess file to the wp-admin directory:

## due to brute force attacks, limiting access to specific ips
order deny,allow
deny from all
allow from 24.xxx.xxx.xxx 66.xxx.xxx.xxx

I have had this in place for a day or three now and thought it was working. But today I got a notice from our security plugin that this site has had several failed login attempts. The failed login attempts were from an IP similar to this:

200.199.xxx.xxx

I am xing out the IPs for security measures, but wanted to give you an idea of the IP families that I am allowing vs. seeing attempting login.

So how would it be possible for a bot or person to be able to even arrive at the login page with this type of blocking in place?

Read more here: How am I still seeing failed login attempts when denying all access to wp-admin?

Leave a Reply

Your email address will not be published. Required fields are marked *