5 {{ upvoteCount | shortNum }}
5 {{ upvoteCount | shortNum }}

Help! Someone's Been Trying to Hack My WP!

by vema123
4 replies
Someone has been trying to login to my wordpress by guessing the password. I've installed plugins to stop login attempts & another different plugin that hides the login page. I also have Sucuri to protect my WP.

Why is this person still able to do login attempts many times to my WP (more than 50 times a day) although I have set the login attempts to 3 times maximum only? Below is the notification I've got from Sucuri:

Subject: Failed Login

Login Info:
Time: July 14, 2015 3:22 am


Website Info:
Site: http://*****.com
IP Address: 123.192.70.92

Notification:
User authentication failed: admin

Please help me. What should I do or what other different plugin should I install to stop this person from login attempts. i've checked the setting at Sucuri & they only have min. 30 login attempts per hour which is NOT good enough for me.

Thanks in advance.
#hack
  • Profile picture of the author samntly
    For security make sure you have iThemes Security plugin. It's very comprehensive and has a ton of great features for free.
    Signature

    Need A PHP Programmer That You Can Count On, That's Professional, Experienced in working with small and large clients. Reach me on skype at "Netlyte" or visit me at http://www.LCCWebDesign.com

    {{ DiscussionBoard.errors[10166133].message }}
    • Profile picture of the author vema123
      thanks for your help. Now this hacker has stopped trying to login to my account
      Signature

      {{ DiscussionBoard.errors[10172736].message }}
  • Profile picture of the author DLycanthus
    Use a secure/different admin username. When you sign up, you are given the option to change the username. You should do that. If you didn't, just create a new user and promote them to administrator privileges, then you can delete the original 'admin' user making it harder to determine which user is actually the admin.

    Having said that, it's still pretty easy to determine the admin name if you have posted some content. Using the default archive which is www.domain.com/author/xxxx (xxxx being the username.)
    So, to fix this, you have to go directly into the phpMyAdmin console and change the username in the user_nicename table.

    Instead of a password like 'mydogsname12345' use something like '1Q4ifsjk99i9daskl'
    Yes, it is nearly impossible to memorize (write it down, keep it on your person) but it's also nearly
    impossibly to hack.

    Update all your plugins and themes instantly, and ASAP. The number one route that hackers will use
    is non-updated software.

    Hide your wordpress version. An extension of the last one. If your on an out-dated version, it's easier to hack you.
    In functions.php add the code: remove_action('wp_head, 'wp-generator');

    So, the top of your file will look like:
    <?php
    remove_action('wp_head', 'wp-generator');
    REST OF FILE....

    You've already limited number of login attempts so that's good. There's always more you can do to be proactive in keeping hackers at bay. Good luck!
    {{ DiscussionBoard.errors[10172823].message }}
    • Profile picture of the author vema123
      Originally Posted by DLycanthus View Post

      Use a secure/different admin username. When you sign up, you are given the option to change the username. You should do that. If you didn't, just create a new user and promote them to administrator privileges, then you can delete the original 'admin' user making it harder to determine which user is actually the admin.

      Having said that, it's still pretty easy to determine the admin name if you have posted some content. Using the default archive which is www.domain.com/author/xxxx (xxxx being the username.)
      So, to fix this, you have to go directly into the phpMyAdmin console and change the username in the user_nicename table.

      Instead of a password like 'mydogsname12345' use something like '1Q4ifsjk99i9daskl'
      Yes, it is nearly impossible to memorize (write it down, keep it on your person) but it's also nearly
      impossibly to hack.

      Update all your plugins and themes instantly, and ASAP. The number one route that hackers will use
      is non-updated software.

      Hide your wordpress version. An extension of the last one. If your on an out-dated version, it's easier to hack you.
      In functions.php add the code: remove_action('wp_head, 'wp-generator');

      So, the top of your file will look like:
      <?php
      remove_action('wp_head', 'wp-generator');
      REST OF FILE....

      You've already limited number of login attempts so that's good. There's always more you can do to be proactive in keeping hackers at bay. Good luck!
      Thanks for your advise. I always do everything you mentioned above. My username & password are the complicated ones (the combination of capital, small letter, numbers, etc) & I also always hide the WP version.
      Signature

      {{ DiscussionBoard.errors[10174111].message }}

Trending Topics