We have developed a WordPress plugin to combat the increased problem of brute force attacks on the wp-login.php file on WordPress websites.
This plugin is freely available to download from wordpress.org
Here is some information about the scripts that are able to be blocked using this plugin.
This is the login page for Wordpres; hundreds or thousands of hits to this page is not normal and is almost certainly a brute force attempt to hack the admin password.
This is a WordPress core feature which is used to provide functionality to the control panel when things need to happen without you leaving the current page. Features include (but are not limited to) automatic saving of posts, updating of plugins on the plugin page and viewing of the media library when adding media to a page. Our plugin does not block these features but some WordPress Themes and Plugins also make use of this script so you should thoroughly test your site if you decide to block admin-ajax.php.
This is a WordPress core feature which is used to perform scheduled tasks in the background. Tasks include (but are not limited to) scheduling of posts to go live in the future and automatic updates of the WordPress core. If you’re not too bothered about scheduled posts and you manually keep your WordPress core up-to-date, you can probably block this script however, popular plugins like Wordfence make use of it to keep an eye on your website and inform you when things need attention.
This is a WordPress core feature which allows users to publish to their WordPress website remotely. This feature has been abused in the past and has been used to brute force admin passwords. If you don’t use another program to publish content to your WordPress website then we believe you should block this script.
This file tells search engines what can and can’t be crawled and indexed from your website. So excessive hits to this file are quite normal but can be very detrimental to the load on your server if the file doesn’t exist. Why? Because WordPress will create an automatic version of this file which fires up the entire WordPress core to in turn serve a very small file. So, if you don’t have a robots.txt file, you may as well block access to it.