What is the best way to handle these wordpress website attacks?

by Laksh

Posted: 9 years ago 6 replies

INTERNET MARKETING

Hey Guys ...

What can be done if someone is trying to attack/hack your website?

I've got around 17 Emails back 2 back indicating that some one is trying to log in to my admin area for one of my websites. Good thing is 'Wordfence' security plugin (free version) kept on blocking them from getting in.

Is there something we can do .... while we are knowing someone is trying to attack/hack our website?

I called up my hosting service, but they do not seem to have any action plan, unless it is an attack that they see from server side.

I received all 17 emails with in a span of 30mins from different geographical locations, so i am sure this is being done using a software/program ... Is there something we can do when you are knowing about such attacks live ??

#attacks #handle #website #wordpress

agmccall 9 years ago

Seems like you are already doing it with wordfence. Maybe instead of the free version you should upgrade

al
- Thanks
Signature

"Opportunity is missed by most people because it is dressed in overalls and looks like work." Thomas Edison
{{ DiscussionBoard.errors[11060135].message }}

Laksh

9 years ago

After some more research and discussions .. Here are couple of solutions i received. I am writing them down here to help any one else searching for solution to a similar issue.

1. Setting up a secondary log in page.

[You can add another layer of protection by password protecting your wp-login.php file. That means the hackers will need to guess through two layers of authentication. There is now a popup prompt and if they pass the first layer, then they will need to guess the second one with thewp-login.php page.

To add this additional security, do the following:

1. Create a file named .wpadmin (note the period) and upload to your home directory (not your content directory which is accessible by everyone)

cPanel home directory: /home/username/ (where "username" is the cPanel username for the account.
Plesk home directory: /var/www/vhosts or /var/www/vhosts/domain

Open a new browser and type http://www.htaccesstools.com/htpasswd-generator/ and enter your username and password.

Copy the content to the .wpadmin file.

For example, my output is:

test:$apr1$I61WuXBN$m3cA7inkvzVO8fgnTU8GX/

Then upload the file using ftp client or cPanel file manager.

2. Update the .htaccess file

Under your publicly accessible content directory (/home/username/public_html), there is a .htaccess file. Edit the file and add the following to the bottom:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

Note: replace username with your actual cPanel 'username']

2. Hiding the wp-admin page
[Install and configure wordpress hide login. Use a unique name no one can ever guess. symbols work best, but make sure it is a name you can remember because you'll be locked out of your site if you dont]

3. Hiding the admin page using a wordpress plugin. Eg: wp lockdown plugin

[ 1 ] Thanks
2 replies

Signature

Setup Profitable Bing Ads PPC Campaigns | Get FREE Traffic from Youtube

{{ DiscussionBoard.errors[11060998].message }}

nicheblogger75

9 years ago

Originally Posted by Laksh

After some more research and discussions .. Here are couple of solutions i received. I am writing them down here to help any one else searching for solution to a similar issue.

1. Setting up a secondary log in page.

[You can add another layer of protection by password protecting your wp-login.php file. That means the hackers will need to guess through two layers of authentication. There is now a popup prompt and if they pass the first layer, then they will need to guess the second one with thewp-login.php page.

To add this additional security, do the following:

1. Create a file named .wpadmin (note the period) and upload to your home directory (not your content directory which is accessible by everyone)

cPanel home directory: /home/username/ (where €œusername€ is the cPanel username for the account.
Plesk home directory: /var/www/vhosts or /var/www/vhosts/domain

Open a new browser and type Htpasswd Generator – Create htpasswd - Htaccess Tools and enter your username and password.

Copy the content to the .wpadmin file.

For example, my output is:

test:/

Then upload the file using ftp client or cPanel file manager.

2. Update the .htaccess file

Under your publicly accessible content directory (/home/username/public_html), there is a .htaccess file. Edit the file and add the following to the bottom:

ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

Note: replace username with your actual cPanel 'username']

2. Hiding the wp-admin page
[Install and configure wordpress hide login. Use a unique name no one can ever guess. symbols work best, but make sure it is a name you can remember because you'll be locked out of your site if you dont]

3. Hiding the admin page using a wordpress plugin. Eg: wp lockdown plugin

I do this and I highly recommend that everyone do it.

It will take 20 minutes of your time but the security layer you add will be priceless.

Also, the free version of WordFence is all you need.

Make sure you use the IP blocking feature in Wordfence and block the IP of the person that is trying to log into your site.

Also, you can lower the login lockout settings on Wordfence.

For instance, you can set it to lock the person out from trying to login after let's say, 5 failed attempts.

I had a lot of problems with people trying to get into my WP blogs before I did these two things. Pretty much stopped it cold.

Also, make sure you never use "Admin" as a user name because that's the first one they try, and it's usually correct.

As for a password for your site, make it a 12-15 character password that uses numbers, lowercase and capital letters, and symbols.

[ 1 ] Thanks

Signature

FREE YouTube Marketing Playbook Video Course (20 Videos)

{{ DiscussionBoard.errors[11061231].message }}

kreddington 9 years ago

To assist with the above great suggestions, I install iThemes Security (free version) on all my client's websites. It has a bunch of great settings you can enable for security reasons to make it more complicated for hackers to figure out how to get in. It also includes a MalWare scanner and password generator that creates a very strong password.
- [ 1 ] Thanks
{{ DiscussionBoard.errors[11061503].message }}

GlobalTrader 9 years ago

Wordfence, IMHO, is the best resource for blocking these attackers I have found...although I still have several other security plugins in place that were implemented prior to using Wordfence.

IRT to the constant notifications, I believe there is a setting that will give you a weekly summary and in reality, why do you need immediate notifications? Once a week is sufficient to see the bad actors, IP addresses, and other nefarious attempts at getting into website.

The techniques you outline are also excellent for everyone to implement as these add further layers of protection in addition to those Wordfence provides.
- [ 1 ] Thanks
Signature

GlobalTrader
{{ DiscussionBoard.errors[11061578].message }}
Brent Stangel 9 years ago

Install a Captcha and it will stop instantly.
- [ 1 ] Thanks
Signature
Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
{{ DiscussionBoard.errors[11061588].message }}

What is the best way to handle these wordpress website attacks?

Trending Topics

"Hello everyone! New member here."

Index vs. Noindex for Wix category and tag pages -- what's your take?

What is the fastest way to get traffic to an affiliate link?

Clickbank, Digistore24 or Amazon Associates

Buying passive-income KDP businesses on Flippa