Recently we’ve notice allot of brute force attacks on our website. To make things more secure we decided to limit the access to the wp-login url to only a few , trusted IP addresses.
<Files wp-login.php>
order deny,allow
Deny from all
allow from {IP-ADDRESS}
</Files>
This works, and only allowed IPs are able to access this URL.
However, we are still seeing brute force attacks trying to login.
To my knowledge the only way to log into wordpress is via wp-login.php, but if this is not reachable , then how can it be that login attempts are still being made?
Note that the WP Rest API is disabled (!)
Any ideas would but much appreciated!