… at this WordPress instance.
Quite funny watching the visit statistic going up only for “/wp-login.php”.
Had also some fun watching the silly tries to find the correct password for users like “admin”, “administrator”,”< domain.tld>” or just “< domain>” which all do not exist.
But in the end I decided to stop that statistic spamming with a htpasswd authentication for just wp-login.php, so my stats aren’t filled up with failed loginattempts instead the attacker has to guess the user and the 20 character password of the htpasswd auth first.
Have fun! 😛