If you use a security plugins to track attempts bogus attempts at logging into you wordpress admin then you will see lots of attempted logins. While these logins fail it is traffic to your wordpress that wordpress needs to process. Every attempt requires a database lookup and and server processing.
We have implemented the following solution to stop WordPress Admin login attacks. We will update this page frequently as attacks always morph and change the approach to stop them has to be changed.
Install wordfence, this will track the attempted logins and track. There is a pro version available, but for this excercise the free version will cover your needs.
Wordfence will send an email like below to notify you of the failed login attempt
This email was sent from your website "Willows Consulting" by the Wordfence plugin at Saturday 28th of July 2018 at 07:57:33 AM The Wordfence administrative URL for this site is: https://blog.willows-consulting.com/wp-admin/admin.php?page=Wordfence A user with IP addr 220.127.116.11 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username 'willows-consultingcom' to try to sign in.. The duration of the lockout is 4 hours. User IP: 18.104.22.168 User hostname: 22.214.171.124 User location: Sainyabuli, Laos
Edit your .htaceess file
You can limit access to wordpress admin from 1 ip address or a range of addresses. In a mobile world we need to have a range of ip addresses to access the admin from.
To limit the admin to 1 ip address insert the following in your htaccess file. Remember to replace the ip address with yours or else you will lock yourself out too!
To find your ip address type in google “what is my ip address”. Then in the wp-admin folder edit the .htaccess file inserting the following lines. Replace xx.xx.xx.xx with your ip address.
Deny from all
Allow from xx.xx.xx.xx
Optional step 3.
If you have access to your firewall then you can add the offending ip addresses to the firewall. However this is a labour intensive excercise and while it kills the traffic at a server level it is not feasible to keep updating it.