My website has recently come under attack by a wave of spam user accounts. My website uses a custom login that forces users to use their email address as their username, however the spam users all have regular usernames so I am assuming they are running a script which sends POST requests to /wp-login.php.
It is not enough to remove this page I need to disable the ability to make user accounts via POST requests to this page as I’m pretty sure the spammers are using software and not hand crafting these accounts.
Lastly I need to disable /wp-admin/profile.php as I believe they are creating accounts to insert back-links into their profiles.
How would I go about doing this?
I realised this is probably better dealt by the server, I ended up putting the following in a
.htaccess:This prevents any requests to those pages and forces users to use my custom login and registration pages.
Edit: I don’t think I made this clear and I do not recommend this solution to most WordPress users.
I have a custom user registration, login and profile system. These do not extend the default WordPress ones but are completely stand-alone and do not require access to these pages as all logic and requests are handled by the system itself and not passed on (However they do use WordPress functions and the default user table in the WordPress database).
This is not the same as say a plugin which provides a custom login page just to change the theme but actually sends POST requests back to
wp-login.phpas this would break under my solution.