Why am I still seeing login attempts even after the IP got blocked?

It’s common to see blocked IP’s making login attempts. They are not a threat, and will fail. 

To stop a malicious login attempt completely, you would need to filter all traffic that goes to your website before it hits your WordPress installation. This is only possible when you use an extra level of software called “reverse proxy”.

With reverse proxy, all requests to your site including login attempts first hit that proxy, and if the proxy is smart enough, it will deny the bad requests and allow the good ones. Then the good requests will hit your website.

There are 2 main problems with reverse proxies:

  1. They are usually not easy to implement and hiring a web developer is required. You will have to give the developer access to your domain management console and/or your hosting account console. Also you will have to install additional WordPress plugins that will make your site compatible with the proxies.
  2. The most popular proxies are generic. They are not dedicated to WordPress exclusively, instead they try to cover all websites. Hence they have much less information to decide whether a request is bad or not, compared to more focused solutions like Limit Login Attempts Reloaded.

A typical WordPress installation doesn’t use a proxy and all requests will reach the website. At this point, the Limit Login Attempts Plugin comes into play. The plugin decides if a request is legit enough to at least let it try to log in, and if it’s not, it stops the attempt right away.

Since all requests get to the site, you see the login attempts in your log even after you blocked the related IPs, usernames or countries. The trick is all of them get denied.

To sum up: there is no comprehensive way to stop the attempts completely without using an extra piece of software called “reverse proxy”, but using the Limit Login Attempts Reloaded plugin can deny bad attempts, they still will show up on your log.