40 {{ upvoteCount | shortNum }}
40 {{ upvoteCount | shortNum }}

Website Security [Wordpress Users Must Read]

by Isaiah Jackson
33 replies
Hey, Warriors it's Isaiah Jackson -

and I was just browsing my email, you know trying
to get to the famous "inbox zero" and found something
pretty damn interesting to say the least

In the last 12 hours there have been 15 attempts
to login to my website.

Yes 15 attempts, all of which failed miserably

And I only know this because of this Wordpress plugin
that I have installed on my site.

Its called WordFence (which you can get here)

No worries its not an affiliate link

Once I've set this up, I've been notified of all attempts
to login to my website including my own (which is cool I guess)

So go download WordFence and protect your
Wordpress website

Talk soon,

Isaiah Jackson
#read #security #users #website #wordpress
  • Profile picture of the author Slapshot
    Thanks for the heads up!
    {{ DiscussionBoard.errors[9098990].message }}
    • Profile picture of the author MeiGal
      Thanks, excellent Info!
      {{ DiscussionBoard.errors[9099014].message }}
  • Profile picture of the author Cyberkntsean
    Originally Posted by Isaiah Jackson View Post

    the famous "inbox zero"
    it's a myth .. never going to happen..
    {{ DiscussionBoard.errors[9099051].message }}
  • Profile picture of the author Mr Bill
    LOVE LOVE LOVE Wordfence! I agree, download it now.
    {{ DiscussionBoard.errors[9099063].message }}
    • Profile picture of the author Isaiah Jackson
      Originally Posted by Slapshot View Post

      Thanks for the heads up!
      Your welcome

      Originally Posted by MeiGal View Post

      Thanks, excellent Info!
      Your welcome

      Originally Posted by Cyberkntsean View Post

      it's a myth .. never going to happen..
      Its happened a few times today, but I rarely get to keep it that way for too long lol

      Originally Posted by Mr Bill View Post

      LOVE LOVE LOVE Wordfence! I agree, download it now.
      YES! It works wonders doesn't it? Its like the first plugin I install on any Wordpress site now.
      Signature
      Send Emails, Get Paid - My business summarized in four words. For the how-to go here
      {{ DiscussionBoard.errors[9099198].message }}
  • Profile picture of the author CSmitty
    It tells you if someone tries to log into your website? If you see you had so many failed attempts, what do you do about it after you get that information?
    {{ DiscussionBoard.errors[9099085].message }}
    • Profile picture of the author Cyberkntsean
      Originally Posted by CSmitty View Post

      It tells you if someone tries to log into your website? If you see you had so many failed attempts, what do you do about it after you get that information?

      You can put the offending IP Address into myip.ms and see what ISP
      ownes the address block.

      You then send a screenshot of the offending IP Address to their abuse@whateverISP and tell
      them if they would kindly get their client to stop trying to hack you.

      Don't worry about translating your message into whatever language the ISP happens
      to be in, once they see your screenshot they will translate it.

      I have successfully done this 5 times for different countries, three of the ISP's
      sent me back a message stating that the problem was dealt with..
      ---
      Why did I go this route.. well, when you see a gazillion attempts.. you get a little pissed..
      {{ DiscussionBoard.errors[9099172].message }}
      • Profile picture of the author Amelle
        This is really useful information, thanks. I had someone from the same IP address once that was trying to hack into my site for about two weeks consistently, every single day. If I had known where to report it to, I would have done.

        I have bookmarked that site and will do as you recommended next time I get a persistent hacker.

        Thanks a lot.


        Originally Posted by Cyberkntsean View Post

        You can put the offending IP Address into myip.ms and see what ISP
        ownes the address block.

        You then send a screenshot of the offending IP Address to their abuse@whateverISP and tell
        them if they would kindly get their client to stop trying to hack you.

        Don't worry about translating your message into whatever language the ISP happens
        to be in, once they see your screenshot they will translate it.

        I have successfully done this 5 times for different countries, three of the ISP's
        sent me back a message stating that the problem was dealt with..
        ---
        Why did I go this route.. well, when you see a gazillion attempts.. you get a little pissed..
        {{ DiscussionBoard.errors[9101479].message }}
    • Profile picture of the author Isaiah Jackson
      Originally Posted by CSmitty View Post

      It tells you if someone tries to log into your website? If you see you had so many failed attempts, what do you do about it after you get that information?
      It blocks the user who is trying to login actually.

      So I really don't have to do anything
      Signature
      Send Emails, Get Paid - My business summarized in four words. For the how-to go here
      {{ DiscussionBoard.errors[9099193].message }}
    • Profile picture of the author spearce000
      Originally Posted by CSmitty View Post

      It tells you if someone tries to log into your website? If you see you had so many failed attempts, what do you do about it after you get that information?
      Contact the ISP like @Cyberkntsean says, or you can blacklist them in Cpanel.

      Restricting access wp-admin.php can also eliminate this problem.
      {{ DiscussionBoard.errors[9099860].message }}
  • Profile picture of the author Mr Bill
    If they're failing to log in it's done it's job and just letting you know that it did it's job. You can set it to notify you not only of failed attempts but also if anyone logs in as admin or non-admin. I use this to check on techs to see when they logged into my site to do their work but I've also been notified of failed attempts. You can set how many failed attempts before they're logged out completely for as long as you want.
    {{ DiscussionBoard.errors[9099090].message }}
  • Profile picture of the author JasonLD
    Originally Posted by Isaiah Jackson View Post

    Hey, Warriors it's Isaiah Jackson -

    and I was just browsing my email, you know trying
    to get to the famous "inbox zero"
    What does the "inbox zero" refer to? I have a Wordpress site that I'm learning to use now. Not to farmiliar with it yet.
    {{ DiscussionBoard.errors[9099213].message }}
    • Profile picture of the author Mr Bill
      Originally Posted by JasonLD View Post

      What does the "inbox zero" refer to?
      No unopened emails to read.
      {{ DiscussionBoard.errors[9099215].message }}
  • Profile picture of the author JackCronfield
    You can also use the Limit Login Attempts plugin which is completely free and will allow you to block ips after certain umber of failed login attempts
    {{ DiscussionBoard.errors[9099246].message }}
  • Profile picture of the author Mr Bill
    It also tells you when your plugins need updating which is handy. I then go to my MainWP plugin (which controls all my blogs - also free) and I update them all at once with on click. Those two free plugins have made a massive difference to my productivity and released many hours I previously spent upgrading every site manually.

    Highly recommended!
    {{ DiscussionBoard.errors[9099251].message }}
  • Profile picture of the author ron200
    My host had a message posted with some security steps. The easiest and best is probably this one:

    1. Limit Access to wp-admin by IP

    If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via an .htaccess file.

    Create a file called .htaccess or simply edit the existing one (if any) in the /wp-admin folder and add:

    # Block access to wp-admin.
    order allow,deny
    allow from x.x.x.x
    deny from all

    Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x as many times as IPs you wish to whitelist.
    Signature
    Affordable Vacation Packages - Hotel, Air, Car, Cruise, Sports and Concerts Best Prices Around
    {{ DiscussionBoard.errors[9099254].message }}
  • Profile picture of the author Mr Bill
    Good one!

    I'm not a fixed IP with my ISP but they do offer one which might be handy. My IP resets every time I switch on my router but there's nothing stopping me from allowing no one and when I need access I can look up my current IP, edit the .htaccess file, do my work then remove my IP. A small price to pay for what seems like a very strong security measure.

    Just to be clear, to add multiple IPs it would look like this?

    # Block access to wp-admin.
    order allow,deny
    allow from x.x.x.x
    allow from x.x.x.x
    allow from x.x.x.x
    allow from x.x.x.x
    allow from x.x.x.x
    deny from all
    {{ DiscussionBoard.errors[9099262].message }}
  • Profile picture of the author ron200
    I just now added the above but looked at the mod security feature on my host and this IP
    37.9.53.109
    Tried to access 550 times in 8 minutes! Lucky he was auto blocked after the 1st 15 times.
    This was 4 days ago.

    I believe that is right Bill.
    Signature
    Affordable Vacation Packages - Hotel, Air, Car, Cruise, Sports and Concerts Best Prices Around
    {{ DiscussionBoard.errors[9099286].message }}
  • Profile picture of the author ron200
    I just tested this out and I can't even get in. woops. lol
    either I did something wrong or that doesn't work.
    Signature
    Affordable Vacation Packages - Hotel, Air, Car, Cruise, Sports and Concerts Best Prices Around
    {{ DiscussionBoard.errors[9099304].message }}
    • Profile picture of the author Wayne
      Originally Posted by ron200 View Post

      I just tested this out and I can't even get in. woops. lol
      either I did something wrong or that doesn't work.
      Same thing happened to me. Then I changed the first line to
      order deny,allow
      instead of
      order allow,deny
      and it works.

      # Block access to wp-admin.
      order deny,allow
      allow from xx.xxx.xx.xx
      deny from all
      {{ DiscussionBoard.errors[9100141].message }}
  • Profile picture of the author vikash_kumar
    Thanks Isaiah for sharing your experience with WordPress Security and emphasizing that why it is important to make the job of a hacker harder than ever.

    No online software or system in the world of internet is fully secure as many people who are living in negative world are continuously trying to disturb the normal flow of working.
    Hence, It is very important to have all possible loop closed when it comes to access to WordPress Database as well as content.

    Well done!
    Signature
    {{ DiscussionBoard.errors[9099848].message }}
  • Profile picture of the author Nick981
    Thanks, must try! Now often started to crack sites.
    {{ DiscussionBoard.errors[9099908].message }}
  • Profile picture of the author Rus Sells
    One of the BEST ways to keep a WP site from being hacked.

    After installation create a new user, use a user name that's not common. You could even make it passwordy. Include numbers, symbols, capital letters.

    Give the new user administrator rights and save your new user.

    Then log out and log back in under the new user account and DELETE the user ADMIN.

    There safe and very secure.

    Why? Because hackers need two things. A user name and a password.

    They look for common user names and the most common is ADMIN and so if you have admin you've done 50% of the work for them.
    Signature
    {{ DiscussionBoard.errors[9100014].message }}
  • Profile picture of the author cheehien
    Really?? Good info. Thanks
    Signature

    Affiliate templates are not allowed.

    {{ DiscussionBoard.errors[9100150].message }}
  • Profile picture of the author Omar White
    When it comes to Wordpress Security you need to Install the following :

    All In One WP Security

    iThemes Security

    Wordfence Security

    Install them and Watch Hackers Fail!

    Enjoy...

    - Oliver
    Signature

    Resource Blog for Beginner Entrepreneurs - OmarWhite.com

    {{ DiscussionBoard.errors[9100187].message }}
  • Profile picture of the author noomkung
    many thank
    {{ DiscussionBoard.errors[9101160].message }}
  • Profile picture of the author Brent Stangel
    I had this happening every day. I installed a Captcha and it stopped completely. Also stopped all the bot signups.
    Signature
    Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
    All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
    {{ DiscussionBoard.errors[9101430].message }}
  • Profile picture of the author vishwa
    Thanks! Man For this Info. Yeah Wordfence is best wordpress security plugin. I already used it for my blog.
    Signature
    Techbizmasters.com- Blogging, Technology, and Digital Marketing
    {{ DiscussionBoard.errors[9101591].message }}
  • Profile picture of the author allanjhn
    Thanks nice
    Signature

    The Technology Master

    {{ DiscussionBoard.errors[9101621].message }}
    • Profile picture of the author Simpilot938
      How do you get round the SQL hacks? I had a batch of attacks about half a year ago where every user had their password changed and the home page changed to some hacker support message in Arabic!

      The first time it happened it took a couple of hours to sort, though I got it down to 25 minutes after the 5th. TF for backups!

      It was after that when I installed Wordfence and changed the Administrator username that things calmed down but it was a bad couple of weeks. I've also changed hosts since then and the SQL server is different to the web hosting server.

      I'd still like to make the MySQL side a bit more secure though.
      Signature

      Steven Lucas, Willing to teach. Always Learning.
      Free Traffic System

      {{ DiscussionBoard.errors[9101639].message }}
      • Profile picture of the author dcushion
        Can you use Fantastico for installation and then use Wordfence to make it secure?

        Or would you still be better off to do a manual installation first?

        In other words, does Wordfence correct all the security issues that Fantastico has?

        Thanks.
        {{ DiscussionBoard.errors[9127512].message }}

Trending Topics