18 replies
In the last 24 hours someone or something was trying to gain access by trying to hack into the admin of my site.. I have Wordfence ( free ) set up and all of the plugins up to date.
Wordfence did its job and locked them out however now I am a little concerned that maybe my site needs another layer of security.

The question is should I have additional security set up and what would it be?

Thanks
#security #wordpress
  • Profile picture of the author TheMostCreative
    Why not make admin file password protected file ?
    Signature
    RapidDedi - Dedicated, Blazing, Fast.
    Dedicated Servers | 100% Uptime | VPS | Managed Services.
    {{ DiscussionBoard.errors[9976996].message }}
  • Profile picture of the author RealCasher
    Yeah add other layers of security would be fine..

    You can move wp-config.php file up one directory on your server which can protect it from any browser attacks.

    And change its permissions on it to 600
    Signature
    Get Weekly Payouts Stream -Using- My Autopilot Money Machine


    Discover & Jump into the 2015's Hottest Income Opportunity -- (Viral Stuff.)
    {{ DiscussionBoard.errors[9977004].message }}
  • Profile picture of the author jay29mcr
    Question: You are using the latest wordpress update?
    Do you use another name instead of Admin for access to the backend?

    If not then update and change your username to something other than the overused Admin. Hackers always tried to bruteforce with the username Admin to get into WP sites.
    {{ DiscussionBoard.errors[9977012].message }}
  • Profile picture of the author javarog
    jay29mcr yes using latest update and no I am not using admin..
    Signature

    And in the end, it's not the years in your life that count. It's the life in your years.

    Abraham Lincoln

    {{ DiscussionBoard.errors[9977048].message }}
    • Profile picture of the author rhinocl
      I would look at this one and see if there aren't additional features missing in Wordfence:
      iThemes Security (formerly Better WP Security)

      Also I would deny access to that ip range if possible. (You don't want to deny NYC but you might feel differently about a small town in the Netherlands or Eastern Europe)
      {{ DiscussionBoard.errors[9977185].message }}
  • Profile picture of the author megamind22
    Originally Posted by javarog View Post

    In the last 24 hours someone or something was trying to gain access by trying to hack into the admin of my site.. I have Wordfence ( free ) set up and all of the plugins up to date.
    Wordfence did its job and locked them out however now I am a little concerned that maybe my site needs another layer of security.

    The question is should I have additional security set up and what would it be?

    Thanks

    Javarog,

    Yes some extra layers would be necessary to make your wordpress security more secured. Have you added "LOGIN LOCKDOWN" ? is a free security plugin for wordpress.. You should have it on your site too.

    Hope that helps.
    {{ DiscussionBoard.errors[9977211].message }}
  • Profile picture of the author javarog
    The wordfence has a option of limiting login attempts along with auto block of ip trying to use a different admin name than the one that is used,, I am not sure if the login lockdown will work in conjunction with wordfeence... I see the i themes has some additional features that wordfence does not have..

    So I'm really not sure which way and what to use... Thanks to all of you that replied so far !!
    Signature

    And in the end, it's not the years in your life that count. It's the life in your years.

    Abraham Lincoln

    {{ DiscussionBoard.errors[9977234].message }}
  • Profile picture of the author BradCarroll
    Those two options would be good ones to activate on WordPress. I know several developers in the Bentonville (WalMart) area of the world, and they all use and love WordFence. Although moving your directories around is a good idea too (I put my own in "non-standard" file paths).
    {{ DiscussionBoard.errors[9977306].message }}
  • Profile picture of the author Peter Lessard
    If what you are getting at the moment is just failed logins don't panic. Most people simply are not aware that this is going on day in and day out on every site out there. Just do the obvious. Have a username other than Admin, have a brutally difficult password and use the Wordfence "Hardening" option.

    You can't really stop them from trying to login but it won't get them anywhere.

    A much bigger risk is letting plugins get out of date.
    Also you should already have a restore plan in place.
    Assume your site absolutely will be hacked tomorrow and everything will be wiped out.
    Do you have a simple backup/restore procedure in place?
    If not, you should.
    Signature
    Ready to generate the next million in sales? The Next Million Agency
    {{ DiscussionBoard.errors[9977328].message }}
    • Profile picture of the author Sid Hale
      Hey Peter,

      I was wondering when/if anyone was ever going to introduce some sanity into this issue.

      Originally Posted by Peter Lessard View Post

      If what you are getting at the moment is just failed logins don't panic. Most people simply are not aware that this is going on day in and day out on every site out there. Just do the obvious. Have a username other than Admin, have a brutally difficult password and use the Wordfence "Hardening" option.

      You can't really stop them from trying to login but it won't get them anywhere.

      A much bigger risk is letting plugins get out of date.
      Also you should already have a restore plan in place.
      Assume your site absolutely will be hacked tomorrow and everything will be wiped out.
      Do you have a simple backup/restore procedure in place?
      If not, you should.
      Just as changing your username to something other than admin insures you against someone being successful logging in under that username... a strong password does, as well.

      I find it laughable that the same people who use to use their wife's name (or something else easily hacked) as their password, now find it critical to alter their admin username. It takes BOTH to successfully log in.

      I guess that as the various WP security plugins encountered more and more competition, they found it necessary to differentiate themselves from one another, and it's gotten to the point of ridiculous.
      Signature

      Sid Hale
      Coming Soon... Rapid Action Profits (Pro)

      {{ DiscussionBoard.errors[9979608].message }}
      • Profile picture of the author curiozities
        With Wordfence, you can block users by specific IP addresses. In he paid version, I believe you can block a whole country, or a range of IP addresses.

        I have Wordfence along with Bulletproof on several of my blogs. They complement each other well. But Bulletproof is more for the technically advanced. If you don't know what you're doing, you could lock yourself out of your own blog (which you can fix by renaming the plug-in folder via FTP).
        {{ DiscussionBoard.errors[9979896].message }}
  • Profile picture of the author javarog
    Thanks everyone for the advise, yes I do back ups daily,,
    Signature

    And in the end, it's not the years in your life that count. It's the life in your years.

    Abraham Lincoln

    {{ DiscussionBoard.errors[9978056].message }}
  • Profile picture of the author astral walker
    Originally Posted by javarog View Post

    In the last 24 hours someone or something was trying to gain access by trying to hack into the admin of my site.. I have Wordfence ( free ) set up and all of the plugins up to date.
    Wordfence did its job and locked them out however now I am a little concerned that maybe my site needs another layer of security.

    The question is should I have additional security set up and what would it be?

    Thanks
    This is quite common. Nothing to worry about. Instead of using wordfence, I would suggest you to use Better WP Security (new name: iThemes security). It has tons of useful options. It will also allow you to hide your WordPress login page. instead of yourwebsite.com/wp-admin it can be changed to yourwebsite.com/speciallogin . so it will help prevent direct attacks to an extent.

    Contact your host and set proper permissions for all folders.

    Add the following lines in your robots.txt file

    User-agent: *
    Disallow: /cgi-bin/
    Disallow: /wp-admin/
    Disallow: /wp-includes/
    Disallow: /wp-content/
    Disallow: /go/
    Disallow: /archives/
    disallow: /*?*
    Disallow: /wp-*
    Disallow: /comments/feed/
    Disallow: *?replytocom

    User-agent: Mediapartners-Google*
    Allow: /

    User-agent: Googlebot-Image
    Allow: /wp-content/uploads/

    User-agent: Adsbot-Google
    Allow: /

    User-agent: Googlebot-Mobile
    Allow: /


    backup your database regularly.
    {{ DiscussionBoard.errors[9978091].message }}
  • Profile picture of the author copywriterco
    You should add a layer of extra security and also try to change the "admin" username if you're using it to something different.
    Signature

    Get Your Free Copywriting Guide at Copy-Writer.co

    {{ DiscussionBoard.errors[9978301].message }}
  • Profile picture of the author Slade556
    I second astral walker's opinion! Hiding the obvious login page is a great idea, it should definitely help! Don't stop using the security plugin though.
    {{ DiscussionBoard.errors[9978396].message }}
  • Profile picture of the author javarog
    This turned out to be a really informative thread, you guy's are true Warriors.. Thank you so much !!
    Signature

    And in the end, it's not the years in your life that count. It's the life in your years.

    Abraham Lincoln

    {{ DiscussionBoard.errors[9978978].message }}
  • Profile picture of the author DoubleOhDave
    If you see a steady effort from a particular IP, I like IP-Ban - free from WP and you can ban specific IPs from your site.
    {{ DiscussionBoard.errors[9979049].message }}
  • Profile picture of the author nizamkhan
    Install iThemes Security and configure all the high priority items, this will make your site/blog more secure.

    - Nizam
    {{ DiscussionBoard.errors[9979513].message }}

Trending Topics