Here’s a little something to listen to while you read this post. It’s appropriate for this post.
Wordfence is effectively blocking blocking attempts to log in using invalid usernames. Refer to the post WordPress Plugin: Wordfence logging lots of failed login attempts for further details. However, there’s someone sneaky who is quietly trying to log in using a valid username.
The next step in the security hardening process is to turn 2FA on for the administrator
Dashboard > Wordfence > Login Security > Two-Factor Authentication.
I scanned the barcode into my authenticator app to add the WordPress account (step 1 in the image) and activated 2FA (step2). I then downloaded the recovery codes and saved them into my Bitwarden account (remembering to delete the downloaded copy after that). After setting up 2FA, the tab should look like this:
Finally, some tuning of 2FA as per the above image to remember the device for 30 days.
The attacks have recently become a lot more sophisticated.