What is the best way to handle these wordpress website attacks?

by Laksh
6 replies
Hey Guys ...

What can be done if someone is trying to attack/hack your website?

I've got around 17 Emails back 2 back indicating that some one is trying to log in to my admin area for one of my websites. Good thing is 'Wordfence' security plugin (free version) kept on blocking them from getting in.

Is there something we can do .... while we are knowing someone is trying to attack/hack our website?

I called up my hosting service, but they do not seem to have any action plan, unless it is an attack that they see from server side.

I received all 17 emails with in a span of 30mins from different geographical locations, so i am sure this is being done using a software/program ... Is there something we can do when you are knowing about such attacks live ??
#attacks #handle #website #wordpress
  • Profile picture of the author agmccall
    Seems like you are already doing it with wordfence. Maybe instead of the free version you should upgrade

    al
    Signature

    Broken promises don't upset me. I just think, why did they believe me?
    ~Jack Handey~

    {{ DiscussionBoard.errors[11060135].message }}
  • Profile picture of the author Laksh
    After some more research and discussions .. Here are couple of solutions i received. I am writing them down here to help any one else searching for solution to a similar issue.

    1. Setting up a secondary log in page.

    [You can add another layer of protection by password protecting your wp-login.php file. That means the hackers will need to guess through two layers of authentication. There is now a popup prompt and if they pass the first layer, then they will need to guess the second one with thewp-login.php page.

    To add this additional security, do the following:

    1. Create a file named .wpadmin (note the period) and upload to your home directory (not your content directory which is accessible by everyone)

    cPanel home directory: /home/username/ (where "username" is the cPanel username for the account.
    Plesk home directory: /var/www/vhosts or /var/www/vhosts/domain

    Open a new browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password.

    Copy the content to the .wpadmin file.

    For example, my output is:

    test:$apr1$I61WuXBN$m3cA7inkvzVO8fgnTU8GX/

    Then upload the file using ftp client or cPanel file manager.

    2. Update the .htaccess file

    Under your publicly accessible content directory (/home/username/public_html), there is a .htaccess file. Edit the file and add the following to the bottom:

    ErrorDocument 401 "Unauthorized Access"
    ErrorDocument 403 "Forbidden"
    <FilesMatch "wp-login.php">
    AuthName "Authorized Only"
    AuthType Basic
    AuthUserFile /home/username/.wpadmin
    require valid-user
    </FilesMatch>

    Note: replace username with your actual cPanel 'username']

    2. Hiding the wp-admin page
    [Install and configure wordpress hide login. Use a unique name no one can ever guess. symbols work best, but make sure it is a name you can remember because you'll be locked out of your site if you dont]

    3. Hiding the admin page using a wordpress plugin. Eg: wp lockdown plugin
    {{ DiscussionBoard.errors[11060998].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by Laksh View Post

      After some more research and discussions .. Here are couple of solutions i received. I am writing them down here to help any one else searching for solution to a similar issue.

      1. Setting up a secondary log in page.

      [You can add another layer of protection by password protecting your wp-login.php file. That means the hackers will need to guess through two layers of authentication. There is now a popup prompt and if they pass the first layer, then they will need to guess the second one with thewp-login.php page.

      To add this additional security, do the following:

      1. Create a file named .wpadmin (note the period) and upload to your home directory (not your content directory which is accessible by everyone)

      cPanel home directory: /home/username/ (where €œusername€ is the cPanel username for the account.
      Plesk home directory: /var/www/vhosts or /var/www/vhosts/domain

      Open a new browser and type Htpasswd Generator – Create htpasswd - Htaccess Tools and enter your username and password.

      Copy the content to the .wpadmin file.

      For example, my output is:

      test:/

      Then upload the file using ftp client or cPanel file manager.

      2. Update the .htaccess file

      Under your publicly accessible content directory (/home/username/public_html), there is a .htaccess file. Edit the file and add the following to the bottom:

      ErrorDocument 401 "Unauthorized Access"
      ErrorDocument 403 "Forbidden"
      <FilesMatch "wp-login.php">
      AuthName "Authorized Only"
      AuthType Basic
      AuthUserFile /home/username/.wpadmin
      require valid-user
      </FilesMatch>

      Note: replace username with your actual cPanel 'username']

      2. Hiding the wp-admin page
      [Install and configure wordpress hide login. Use a unique name no one can ever guess. symbols work best, but make sure it is a name you can remember because you'll be locked out of your site if you dont]

      3. Hiding the admin page using a wordpress plugin. Eg: wp lockdown plugin
      I do this and I highly recommend that everyone do it.

      It will take 20 minutes of your time but the security layer you add will be priceless.

      Also, the free version of WordFence is all you need.

      Make sure you use the IP blocking feature in Wordfence and block the IP of the person that is trying to log into your site.

      Also, you can lower the login lockout settings on Wordfence.

      For instance, you can set it to lock the person out from trying to login after let's say, 5 failed attempts.

      I had a lot of problems with people trying to get into my WP blogs before I did these two things. Pretty much stopped it cold.

      Also, make sure you never use "Admin" as a user name because that's the first one they try, and it's usually correct.

      As for a password for your site, make it a 12-15 character password that uses numbers, lowercase and capital letters, and symbols.
      {{ DiscussionBoard.errors[11061231].message }}
    • Profile picture of the author kreddington
      To assist with the above great suggestions, I install iThemes Security (free version) on all my client's websites. It has a bunch of great settings you can enable for security reasons to make it more complicated for hackers to figure out how to get in. It also includes a MalWare scanner and password generator that creates a very strong password.
      {{ DiscussionBoard.errors[11061503].message }}
  • Profile picture of the author GlobalTrader
    Wordfence, IMHO, is the best resource for blocking these attackers I have found...although I still have several other security plugins in place that were implemented prior to using Wordfence.

    IRT to the constant notifications, I believe there is a setting that will give you a weekly summary and in reality, why do you need immediate notifications? Once a week is sufficient to see the bad actors, IP addresses, and other nefarious attempts at getting into website.

    The techniques you outline are also excellent for everyone to implement as these add further layers of protection in addition to those Wordfence provides.
    Signature

    GlobalTrader

    {{ DiscussionBoard.errors[11061578].message }}
  • Profile picture of the author Brent Stangel
    Install a Captcha and it will stop instantly.
    Signature
    Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
    All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
    {{ DiscussionBoard.errors[11061588].message }}

Trending Topics