Brute force attack?

I’m seeing this quite often:

enter image description here

No OS, same Browser, weird hostname — they’re definitely not real users. Can I do anything to take precautions before they do something?


Solutions Collecting From Web of "Brute force attack?"

There’s an app plugin for that, Limit Login Attempts.

Some more info available in this wp beginner post:

Since it looks as there is no referrer you could block the attempts with .htaccess.
Something like this:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-login\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .* - [F,NS]

There are different variations on that, you could even just trying using REQUEST_URI instead.

RewriteCond %{REQUEST_URI} wp-login\.php [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .* - [F,NS]

Or if you’re the only person logging into your site you could lock it down even more like so:

RewriteCond %{REQUEST_URI} wp-login\.php [NC]
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
RewriteRule .* [R=301,L]

Where is your static IP Address. Can be modified to just work for Class A, B, or C if you have a dynamic IP Address.

Where is your TLD. That way they’re just redirected to your home page.