For simplicity and convenience, I use WordPress as the content management service for this site and for my other site at conradhalling.com. The hosting service for each of my sites provides tools that simplify installing and updating WordPress.

A standard WordPress installation has its login page at wp-login.php, and nefarious actors on the web know this and will attempt to log in to and hack WordPress sites via the login page.

For both of my WordPress installations, I am using the free version of a plugin called Limit Login Attempts Reloaded. This plugin records the IP address of a failed login and blocks repeated login attempts. Using the plugin’s settings, a WordPress administrator can limit the number of failed login attempts from a given IP address over a given time interval.

My sites are hobby sites with very low traffic, so I am surprised at the number of attempted logins. I expect that this is all automated using bots, but I’m not curious enough right now to find out these are implemented.

At conradhalling.com, the number of failed attempts is still increasing daily:

On this site, sphaerula.com, the number of failed login attempts peaked a few days ago at more than ninety, and the number has diminished since then:

I am not worried about these login attempts since for both sites I have used long pseudorandom passwords that are effectively unguessable.