I have used WordPress for many years and have experienced various problems with bots and undesirable users trying to spam my sites. I use various methods to stop them.
The first thing you should do is to disable XML-RPC
XML-RPC is a remote connection protocol for letting external application communicate with WordPress. The only problem is that is used to exploit WordPress
There are multiple ways to disable XML-RPC
Of course, my favourite way is to disable it manually by adding a small amount of code to your .htaccess file in the root directory of your WordPress installation. Code Below:
<FilesMatch "xmlrpc\.php"> Order allow,deny Deny from all </FilesMatch>
Via a Plugin
The other way is to add a plugin to disable XML-RPC and its called funnily enough – Disable XML-RPC available on the WordPress Repository.
Change the default Admin URL
By default, the WordPress Admin Url is https://your-website.co.uk/wp-admin/ By making this simple change, it stops most bots from trying to log into your website and making accounts for your website, most useful for community websites.
I haven’t found a simple method of achieving this with a piece of code so I will recommend a plugin for this part. WPS Hide login will hide your WordPress wp-admin for logged out users, once logged in you still access /wp-admin/ in the normal way.
As an extra step once the plugin has been enabled you can block the default wp-login.php with the following code.
<FilesMatch "wp-login\.php|xmlrpc\.php"> Order allow,deny Deny from all </FilesMatch>
Limiting login attempts
Limiting login attempts has two benefits, one it stops bots cycling through lots of passwords one after another thus reducing the load on your webserver and stopping your website from slowing down.
Again this is achieved with the use of a plugin I would recommend Limit Login Attempts Reloaded from the WordPress Repository. It limit’s the number of retries temporarily banning users for repeated incorrect logins, slowing the bots down.
Making use of Cloudflare
Using Cloudflare has many benefits including the security of your WordPress installation.
You can use it for free too. So its a bit of a no brainer really.
I may get around to doing some Cloudflare tutorial so watch this space 🙂