46 {{ upvoteCount | shortNum }}
46 {{ upvoteCount | shortNum }}

WP-ADMIN hacking attempts

by azmanar
30 replies
Hi,

Just a heads up.

Be aware that hacking attempts using brute force against WP-ADMIN login panel is on the rise.

First they use non caps "admin" and then they tried using "Admin".

One of my WP site had almost 300 attempts from 3 locations using both ids.

Other WP sites have probably 20 or so attempts each.

I would advice WP users to change their admin id to something else and obscure.

There are many WP experts who can guide you.

Also it is wise to update your WP Version, WP Plugins and delete unused plugins. And back-up your WP database before you do anything else.

While waiting for expert advice, you can check out a basic guide I wrote in WF blog on how to harden your WP protection.

Hope this is useful.
#attempts #hacking #wpadmin
  • Profile picture of the author Kingfish85
    Originally Posted by azmanar View Post

    Hi,

    Just a heads up.

    Be aware that hacking attempts using brute force against WP-ADMIN login panel is on the rise.

    First they use non caps "admin" and then they tried using "Admin".

    One of my WP site had almost 300 attempts from 3 locations using both ids.

    Other WP sites have probably 20 or so attempts each.

    I would advice WP users to change their admin id to something else and obscure.

    There are many WP experts who can guide you.

    Also it is wise to update your WP Version, WP Plugins and delete unused plugins. And back-up your WP database before you do anything else.

    While waiting for expert advice, you can check out a basic guide I wrote in WF blog on how to harden your WP protection.

    Hope this is useful.
    Azman,

    Thanks for posting this. I have also been in touch with CloudFlare on this issue.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[6489144].message }}
    • Profile picture of the author damoncloudflare
      Originally Posted by Kingfish85 View Post

      Azman,

      Thanks for posting this. I have also been in touch with CloudFlare on this issue.
      It sounds like part of the issue was that an older version of mod_cloudflare was being used & the visitor IP wasn't correct.
      Signature

      Damon
      CloudFlare Community Evangelist

      Tips for using WordPress with CloudFlare

      {{ DiscussionBoard.errors[6494706].message }}
  • Profile picture of the author Geoff101
    Install this WordPress › Better WP Security « WordPress Plugins

    brute force attacks will be thing of the past.

    The plugin won't even let the hacker do 300 attempts as on your blog. It can block their ip even on the 4rth attempt.

    If anyone needs help in configuring this plugin just PM me.
    {{ DiscussionBoard.errors[6489221].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by Geoff101 View Post

      Install this WordPress › Better WP Security « WordPress Plugins

      brute force attacks will be thing of the past.

      The plugin won't even let the hacker do 300 attempts as on your blog. It can block their ip even on the 4rth attempt.

      If anyone needs help in configuring this plugin just PM me.
      Sorry, this isn't a solution for this issue. Azman didn't mention, but there's a whole list of IP addresses. It is a good idea to have a lockout feature, but when the IP addresses are not all the same, the lockout feature becomes useless.
      Signature

      |~| VeeroTech Hosting - sales @ veerotech.net
      |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
      |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
      |~| Visit us @veerotech Facebook - Twitter - LinkedIn

      {{ DiscussionBoard.errors[6489228].message }}
      • Profile picture of the author Geoff101
        Well I only mentioned ONE way that this plugin blocks hackers.

        It can also hide your admin url to something that only you know.

        Instead of yourdomain.com/wp-admin it turns it to youdomain.com/xxxxxxx

        If the hacker can't find your sign-in page how will he attack it?



        Originally Posted by Kingfish85 View Post

        Sorry, this isn't a solution for this issue. Azman didn't mention, but there's a whole list of IP addresses. It is a good idea to have a lockout feature, but when the IP addresses are not all the same, the lockout feature becomes useless.
        {{ DiscussionBoard.errors[6489271].message }}
  • Profile picture of the author sbucciarel
    Banned
    I use the plugin Limit Login Attempts. I ban them after the second attempt to login and I ban them for 999 minutes, the maximum you can put in. Solves the problem.
    {{ DiscussionBoard.errors[6489316].message }}
    • Profile picture of the author cferfland247
      Originally Posted by sbucciarel View Post

      I use the plugin Limit Login Attempts. I ban them after the second attempt to login and I ban them for 999 minutes, the maximum you can put in. Solves the problem.
      This is exactly what I do. This way really decrease the risk of being hack of my admin account.
      {{ DiscussionBoard.errors[6787302].message }}
  • Profile picture of the author contentwriting360
    Banned
    Originally Posted by azmanar View Post

    One of my WP site had almost 300 attempts from 3 locations using both ids. Other WP sites have probably 20 or so attempts each.
    We're just curious. Where do you see those login attempts? Do we need to install a plugin to our WP account to view those login attempts by anyone?
    {{ DiscussionBoard.errors[6489472].message }}
    • Profile picture of the author ImWendy
      Originally Posted by contentwriting360 View Post

      We're just curious. Where do you see those login attempts? Do we need to install a plugin to our WP account to view those login attempts by anyone?
      Would like to know this as well. Thanks!
      {{ DiscussionBoard.errors[6489575].message }}
    • Profile picture of the author azmanar
      Originally Posted by contentwriting360 View Post

      We're just curious. Where do you see those login attempts? Do we need to install a plugin to our WP account to view those login attempts by anyone?
      Hi,

      I'm using Limit Login Attempts as mentioned by Suzanne and Will. This plugin is also suggested in my WF blog article.

      Whenever anyone tried login in with the same IP and failed the 4th time, he will be locked out for a number of hours. And when he attempted again, he will be locked out longer hours. All failed attempts and IPs are logged.

      At the time I'm writing this, there were already 99 locked-outs. If you times that by 4, that would be already 396 attempts by now. All done continuously from different IP numbers and different locations.

      I really don't get it because this web site is not that popular, but quite an important one internationally for a very specific and narrow niche. Wondering what was the "amazing" thing I did that made these hackers "love" me so much. lol

      I'm afraid the biggest problem would be when the hackers could find a way to crash Limit Login Attempts and Ouila ! .. I'm done.

      So, I'm very grateful to Brent ( Kingfisher ) from VopaHost for suggesting the htaccess solution. This is another layer of protection for the time being. This site isn't even hosted in Vopahost, yet he gave me a lot of help behind the scene since yesterday. Selfless Warrior.

      I don't know whether this hacking problem is faced by me alone or by others as well. Still, I hope this share would open some eyes to enhance their WP protection.
      Signature
      === >>> Tomorrow Should Be Better Than Today
      {{ DiscussionBoard.errors[6490996].message }}
  • Profile picture of the author Kingfish85
    Using .htaccess to password protect the directory and creating a firewall rule to block the IP of the failed attempt for XX seconds/days/permanent would be the best method. Unfortunately the Wordpress plugins aren't hacker proof. Without server-side/firewall interaction, a seasoned hacker who knows what they're doing isn't going to be stopped by a few plugins. Sure, some of the WP security plugins out there are good, and will stop most script kiddies in their tracks, but it's not the "end all, be all" for securing a site.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[6489522].message }}
  • Profile picture of the author cashtree
    All you need to do is edit wp-login.php add this to the top


    $IP = $_SERVER["REMOTE_ADDR"];
    if($IP != "YOURIP")
    {
    exit;
    }
    replace "YOURIP" with whatever your IP is, which you can get that at whatismyip.com, assuming your IP doesn't change all the time. This way the login page won't even load for anyone that's not you and they won't waste your server resources.
    {{ DiscussionBoard.errors[6489607].message }}
    • Profile picture of the author damoncloudflare
      Originally Posted by cashtree View Post

      All you need to do is edit wp-login.php add this to the top




      replace "YOURIP" with whatever your IP is, which you can get that at whatismyip.com, assuming your IP doesn't change all the time. This way the login page won't even load for anyone that's not you and they won't waste your server resources.
      Just a quick note that CloudFlare users would want to have mod_cloudflare installed if they go this route. If you don't have mod_cloudflare running on your server, the IPs will show as ours without the modification to restore original visitor IP.
      Signature

      Damon
      CloudFlare Community Evangelist

      Tips for using WordPress with CloudFlare

      {{ DiscussionBoard.errors[6494676].message }}
  • Profile picture of the author WebUs
    Thanks for this, my usual tactic for one is to not use admin in any variation period. That in itself will not only keep you safe but piss off those trying to hack it lol.
    {{ DiscussionBoard.errors[6489661].message }}
  • Profile picture of the author WillR
    1. You should NEVER name your admin account 'admin'. That's basic Wordpress security 101.

    2. Install a plugin such as 'Limit Login Attempts'
    WordPress › Limit Login Attempts « WordPress Plugins

    3. Sleep safer at night
    Signature

    .


    .

    {{ DiscussionBoard.errors[6489735].message }}
    • Profile picture of the author Ellie Days
      Originally Posted by WillR View Post

      1. You should NEVER name your admin account 'admin'. That's basic Wordpress security 101.

      2. Install a plugin such as 'Limit Login Attempts'
      WordPress › Limit Login Attempts « WordPress Plugins

      3. Sleep safer at night
      Never knew that someone would actually like to hack someone's blog even though there's pretty much nothing for them??

      I however have my admin account named as 'admin' -___-...
      anyone here could give me a hand on editing the files in order to change my login name ?


      ..
      {{ DiscussionBoard.errors[6496348].message }}
      • Profile picture of the author WillR
        Originally Posted by Jayne Miracle View Post

        Never knew that someone would actually like to hack someone's blog even though there's pretty much nothing for them??

        I however have my admin account named as 'admin' -___-...
        anyone here could give me a hand on editing the files in order to change my login name ?

        ..
        Jayne,

        Unfortunately people (hackers) will go after anything and everything that have left themselves vulnerable.

        A lot of these hackers will use tools that basically sit there and keep trying different passwords until they get into your site. Obviously to enter your site they need the correct combination of username AND password. If you just use the standard 'admin' username then you have already solved half the problem for them. All they then need to do is work out the password which makes it a lot easier for them.

        So best practice is to have a nice long and unique username and password. I'm not sure of the exact steps you need to take to change the username. I think I have seen the instructions before so I'm pretty sure it can be done.

        Hopefully someone else can chime in with that information. But just get in the habit from this day forward of always using a unique username for your Wordpress installs... and it can't hurt to install a simple plugin such as 'Limit Login Attemps' as well.
        Signature

        .


        .

        {{ DiscussionBoard.errors[6496374].message }}
        • Profile picture of the author Ellie Days
          Originally Posted by WillR View Post

          Jayne,

          Unfortunately people (hackers) will go after anything and everything that have left themselves vulnerable.

          A lot of these hackers will use tools that basically sit there and keep trying different passwords until they get into your site. Obviously to enter your site they need the correct combination of username AND password. If you just use the standard 'admin' username then you have already solved half the problem for them. All they then need to do is work out the password which makes it a lot easier for them.

          So best practice is to have a nice long and unique username and password. I'm not sure of the exact steps you need to take to change the username. I think I have seen the instructions before so I'm pretty sure it can be done.

          Hopefully someone else can chime in with that information. But just get in the habit from this day forward of always using a unique username for your Wordpress installs... and it can't hurt to install a simple plugin such as 'Limit Login Attemps' as well.
          Have installed the plugin already )
          But the username still worries me....

          Another thing is that, once all my websites were hacked before, are there any ways to protect my cpanel? and ftp.....
          {{ DiscussionBoard.errors[6496563].message }}
          • Profile picture of the author azmanar
            Originally Posted by Jayne Miracle View Post

            Have installed the plugin already )
            But the username still worries me....

            Another thing is that, once all my websites were hacked before, are there any ways to protect my cpanel? and ftp.....
            Hi,

            The responsibility of cpanel security lies with the hosting company's security policy implementations as well as your ability to create a strong password for your cpanel.

            1. Strong Password
            A good secure password for CPANEL would have 12 to 14 characters. 3 big caps alphabets, 3 small caps, 3 numbers and 3 symbols ( special characters ). Thats the minimum. Mix those characters around. Write them down in your password book and place the book in your drawer at home. Memorize it. Don't carry it around.

            2. CPANEL and WP passwords should NEVER be the same.
            If ever the same, then this would be the grand feast for hackers. They instantly graduated into the coveted "hijacker" status. Even for 1 hour period, they can already set-up robots to spam and attack people from your web server, before the web hosting's security policy detects unusual activities.

            Security is also dependent on your own implementations of web-based applications and their related updates. Never leave your applications be outdated for long periods of time.

            There is still one more thing neglected by many - the security of the NETWORK they are connected to, whether wired or wireless. Malicious packet sniffers are always around in the networks of hotels, cafes, restaurants, hotspots, offices and libraries. No PC firewalls or antivirus can detect them because they don't have to enter your PC. They are in the network to grab data traveling in there.

            They can grab your unencrypted messages, user ids and passwords. So don't be puzzled when hackers break into web sites, web servers and emails. They don't even use brute force method. I have a WF blog article just about this.
            Signature
            === >>> Tomorrow Should Be Better Than Today
            {{ DiscussionBoard.errors[6496825].message }}
      • Profile picture of the author azmanar
        Originally Posted by Jayne Miracle View Post

        Never knew that someone would actually like to hack someone's blog even though there's pretty much nothing for them??

        I however have my admin account named as 'admin' -___-...
        anyone here could give me a hand on editing the files in order to change my login name ?


        ..
        Hi.

        There is 1 plugin that can help you change your user id easily. It is called WP Security Scan.

        Otherwise, from your CPanel, click on PHPMyAdmin :
        -> once PHPmyadmin opens, select the right MYSQL database that you use for the particular WP.
        -> then look for table wp_users and click it. ( I'm using a different wp prefix for added security )
        -> at table wp_users, look for column user_login . This is where all the user ids reside.
        -> look for the row having "admin" as the user
        -> click on the edit feature on the row having "admin" user
        -> edit that "admin" ID to something you can remember. No need to change anything else in the row.

        Thats all there is to it. Very simple 6 steps.

        If you're not familiar with PHPMyadmin, get someone you trust and know it to do the change for you.
        Signature
        === >>> Tomorrow Should Be Better Than Today
        {{ DiscussionBoard.errors[6496647].message }}
      • Profile picture of the author sprucehill
        Originally Posted by Jayne Miracle View Post

        Never knew that someone would actually like to hack someone's blog even though there's pretty much nothing for them??

        I however have my admin account named as 'admin' -___-...
        anyone here could give me a hand on editing the files in order to change my login name ?


        ..
        You cannot "change" the admin directly in Wordpress, as far as I know, but you can create a new user (admin) name and delete the old one. This would be the easiest method, if you don't want to mess with the Php, etc.

        1. Log in to your wp blog.
        2. Go to "Users"
        3. Create a new username with "admin" privileges.

        Make it a complicated username with a combination of upper and lowercase letters and numbers. If you use a word that is in the dictionary, add extra letters and numbers at the beginning and end. Also make the password a complicated combination of letters and numbers. Save.

        4. Log out, then log back in with the new username and password.
        5. Go back to "Users". Delete the old "admin" username. Wordpress will ask if you want to assign all posts from the old "admin" username to the new (admin username you just created). Click yes.

        That's all, you're done.

        I use Login Lockdown, which is similar to the above-mentioned plugin. And, I also use the .htaccess method. So far, I have not been hacked, although I have seen some attempts. So I block all those IPs.

        Good luck.
        {{ DiscussionBoard.errors[6496648].message }}
  • Profile picture of the author contentwriting360
    Banned
    @azmanar: Thank you for taking the time to answer our inquiry. We have just installed Limit Login Attempts WP plugin. Thanks for sharing.
    {{ DiscussionBoard.errors[6491057].message }}
  • Profile picture of the author williamk
    Banned
    Thanks for the heads up. I am using some plugins but I think I will go tweak the options some more.
    {{ DiscussionBoard.errors[6491336].message }}
  • Profile picture of the author Irwin Dominguez
    Thanks for starting this post, azmanar. I will definitely install one of these plug-ins on my sites ASAP.
    {{ DiscussionBoard.errors[6494833].message }}
  • Profile picture of the author Michael Kohler
    Great post. I wish I had had Limit Login Attempts years ago. Can really kill off your income when your sites go down. Backups are a must! I usually change the "admin" as well. Thanks.
    {{ DiscussionBoard.errors[6494890].message }}
  • Profile picture of the author Peter Ronue
    Not really a problem, there are TOO many plugins you can find by simply typing "security" in your plugin search bar (inside wp backoffice).
    {{ DiscussionBoard.errors[6497189].message }}
    • Profile picture of the author Richard Van
      Originally Posted by Peter Ronue View Post

      Not really a problem, there are TOO many plugins you can find by simply typing "security" in your plugin search bar (inside wp backoffice).
      Well I'm glad you're so relaxed about it and you have a nice one stop shop for every eventuality.

      I'm sure no hackers would ever think to take a look at the plugins designed to stop them, by simply typing in "security" to the plugin search bar, as you have.

      Never underestimate hackers. If you think they're not really a problem, you're already underestimating them in a big way.
      Signature

      Wibble, bark, my old man's a mushroom etc...

      {{ DiscussionBoard.errors[6497264].message }}
      • Profile picture of the author azmanar
        Hi,

        I just launched an Education niche web site 48 hours ago and now I have 16 attempts to brute force against WP Admin.

        One static IP belongs to Verio hosting and another static IP from The Planet. Wondering whether the hosting providers ( where the attacks originated from ) are able to detect such malicious activities by their clients or they need to be informed by victims.

        It is getting serious. A lot of hackers seem to be scanning web sites for "admin" id holes.

        I'm about to launch another site the day after tomorrow and this worries me a bit.

        Is anyone else facing the same?
        Signature
        === >>> Tomorrow Should Be Better Than Today
        {{ DiscussionBoard.errors[6498033].message }}
  • Profile picture of the author daddykool
    You do not have to install a million plugins, which in some WP sites, actually makes the security worse, not better...

    Just NEVER use an auto installer for your WP installs
    Make sure your ALWAYS use an encrypted / random admim & password combo
    Move your WP admin area to somewhere else on your install

    EG:

    User: !VAu25e*2DokDr
    Pass: y*7ED10JAqvk6xHK8TNabD5g6

    If you are MANUALLY typing in your admin or password... DON'T!

    Use a 256bit AES encoder or Lastpass.com

    If it takes you an extra 30 seconds to get into your WP admin or WP network admin and you know what you are typing/entering with the above example, imagine how long it will take a H4CKER!!!
    Signature
    LAUNCHING VERY SOON > PRE-REGISTER NOW FOR A WSO THAT EVERY WARRIOR NEW & OLD CAN MAKE $$$ FROM! LIMITED PRE-LAUNCH SPACES - PM or email: JVSuperstars@gmx.com TO RESERVE A PLACE & LOCK IN A SUPER LOW LIFETIME PRICE! *** NEVER TO BE REPEATED PRICE ONLY AVAILABLE ON THE WARRIOR FORUM & OUR VERIFIED JV AFFILIATE PROVIDERS! ***
    {{ DiscussionBoard.errors[6498227].message }}
  • Profile picture of the author tjp33
    Hey Gang, what about when we initially put in our u.n. & p.w. and Google chrome asks us the the following with the pop-up menu ==> " Do you want Google Chrome to save your password? [Save Password] -or- [Never for this site].

    What should we do in this case? Is it safe to permanently save the password with google chrome?
    {{ DiscussionBoard.errors[6787207].message }}

Trending Topics