Here is my problem, i added next code to my htaccess file how i can limit access to wp-login.php file (wordpress):
ErrorDocument 401 default
# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Deny from all
# Protect wp-login
AuthName "Private access"
require user YYYYYYY
Now when i try to access login page i have classic pop up window asking me for username and password and without correct info the login page will not load. Frankly however i try to login regardless of what url i'm using (or links) i will always be prompted with popup window asking for login. Still my log file show decent amount of failed login attempts on wordpress. Its happening on two wordpress sites each hosted on separate virtual server. To exclude wordpress both sites have only 4 inactive plugins and two different themes (premium, payed) all updated and no content of any kind. Actually its fresh install.
Now i want to know how is possible for bots to evade htaccess and go directly to login page.
From apache conf:
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
and its same for both virtual server.
I feel stupid at this point to stuck with htaccess but whatever i try i could not find any solution. I cant access the login page if i dont put correct username and psw but bots can. Now i'm not sure but maybe this could help:
before i changed htaccess both sites had a flood of bots trying to connect
after the change (before 4-5 days) site1 didnt have any attempts while site2 continue to have but looks like at reduced number, not sure
htaccess is exactly the same for both domains excluding the part where i need to insert domain name into htaccess code
all settings for both virtual servers looks same and they should be
Well i'm stuck, any help would be welcome.