Hi @tooni
Yes that mail will be by AIOS plugin. No it does not necessary your renamed login page exposed. you can cross check in event log stack trace. It might be xmlrpc getUserBlogs
if stop user enumeration is not on It might be the reason your admin username is exposed –
WP Security > Miscellaneous > User enumeration tab check there it is on or not.
XML RPC call of wp_getUsersBlogs is trying to authenticate the user with your exposed admin username
WP Security > Firewall > Basic firewall rules tab > Completely block access to XMLRPC , Disable pingback functionality from XMLRPC Please check both and Save.” – This will decrease your invalid login attempts.
Regards
Thank you for your answer! As you said, I found some getUserBlogs entries in the log files.
According to your suggestion I now disabled the user enumeration and also checked the functions:
Completely block access to XMLRPC and
Disable pingback functionality from XMLRPC
Hopefully this will reduce the attacks.
Thank you very much for your advise.
Best regards, Tooni