A simple way of deflecting brute-force attacks is to require an additional password to access the WordPress login screen. Lots of security plugins will do this for you, but again, sometimes it’s better to DIY.
I put a .htaccess file in the wp-admin directory and that almost completely worked, but mystifyingly, and irritatingly, there would be regular failed login attempts. Not very often. About very 20 minutes or so. But I was irked (I tell you), as I couldn’t work out why they were happening.
And then more alarmingly, immediately the same thing on a new test user I set up a few minutes later. Of course, just because frustratingly I can’t work out how the attacker extracts the new WP username immediately doesn’t mean it ain’t happening. But the attack vector, so to speak, was the xmlrpc.php file.
Several ways to tackle this, and initially I used a security plugin to fix it. But given the choice, I’d rather do things like this manually so I have a better idea what’s going on, and maybe learn something too.
Migrating WP blog to my VM. New install of WordPress. Test posts with Guttenberg (Block) Editor. Following error:
Publishing failed. Error message: The response is not a valid JSON response.
An interesting rabbit hole. Lots of searches rightly suggested that using the classic editor would get round the problem. Or that by changing the permalinks settings to Plain would fix it. It did, but not much help if you want your permalink settings set to something else.
Eventually I discovered that the issue for me was with the .htaccess file not being processed, which was fixed by adding something along the lines of
Options Indexes FollowSymLinks
Require all granted
to the /etc/apache2/apache2.conf file (on Debian Buster). This worked for me, but I get the impression it’s better practice to edit the files in /etc/apache2/sites-available instead for any local code in case apache2.conf gets overwritten on an upgrade. Probably also need to do a:
systemctl restart apache2
So for me the cause of the error message was quite obscure. Useful link: