By default WordPress lets anyone just gather up a list of all the usernames on your server, so of course there's some patient-ass bot out there that gets all the usernames and tries every 15 minutes to break in from different IP addresses. A tortoise brute force approach.

I shouldn't have to download a plugin to fix this. It's basically like the default install tapes a target right onto your back.

@lawremipsum how on earth is wordpress still this awful lmao??? it's almost 20 years old!!

@iosefmann wpf2b can but the docs on how to configure the free version to do it are deliberately obscure. I'm using

@lawremipsum there are a lot of password stuffing bots out there, I even get wp-login.php requests in access logs on my decidedly non-WP server

Sign in to participate in the conversation

A community centered on the Twin Cities of Minneapolis and St. Paul, Minnesota, and their surrounding region. Predominantly queer with a focus on urban and social justice issues.