Easy way to protect your WP site from hackers

by Elmar
27 replies
I was shocked today when I checked my login stats. There were hundreds and hundreds failed login attempts. I believe these were all attempts to brute force the password on my blog.

Here are two simple steps/reasons why they were unsuccessful !

1. I have my main admin username set as something other than WP default "admin". All of the brute force attempts were using either "admin" or "Admin" as the username.

2. I have a free plugin installed called Limit Login Attempts. It tracks the users by ip and a cookie who are trying to login. It locks out anyone after 4 failed attempts for 25 min and after 4 lock outs for 24hours. This makes running a brute force impossible. (It also has stats that show you the ip and the attempted username of anyone who has been locked out)

The above steps should be the minimal steps everyone should take to potect their site.

Please share your tools or tips how you protect your sites.
#easy #hackers #login #password #protect #security #site
  • Brute forcers also use proxies though

    Absolute best thing you can do is make an obscure login name
    {{ DiscussionBoard.errors[7667363].message }}
  • Profile picture of the author YasirYar
    That's great to know and thanks for sharing the idea on how one can safeguard their blogs. It's alarming how many people are trying to get into other people's blogs not sure what they want to do. But whatever that may be, am sure it isn't anything good at all.
    Signature

    >>>Get your websites ACTUALLY ranked by checking these out: Quantum SEO Labs, Home Page Link Building & SERP Ability. Want to get rid of negative listings? Check out Reputation Enhancer.

    {{ DiscussionBoard.errors[7667386].message }}
    • Profile picture of the author garyisonline
      +1 for the plugin
      +1 for changing "admin" to something convoluted <-- I see this oversight in ebooks and videos "teaching" the one-click install. Pfffffff. STILL!!

      For the proxie geniuses, since the limit login plugin limits the number of tries before having to wait, it becomes a pita for impatient script-running lazy butts. It's similar to punks tryin' doorknobs in the neighborhood. It's easier to just go find one of them one-click install suckers who lock the door then throw the key under the mat.

      On all of our sites - the plugin emails an alert that somebody was blocked for too many tries. We then gather a text file and add ALL of those offending ip's to ALL of the deny sections of ALL of the .htaccess files on ALL of our sites.

      Also Hide My Ass and Scrapebox has a list of public proxies for any ole body to use. Add all of them to .htaccess deny too. For you see, anybody using those public proxies to wiggle login pages are up to no good and can kick rocks. No loss blocking all of them for us.

      There are additional steps to take to tighten up Wordpress (just do a search on the big G), but the OP's ideas are very good-n-easy first steps.
      {{ DiscussionBoard.errors[7667455].message }}
      • Profile picture of the author sbucciarel
        Banned
        Originally Posted by garyisonline View Post

        For the proxie geniuses, since the limit login plugin limits the number of tries before having to wait, it becomes a pita for impatient script-running lazy butts. It's similar to punks tryin' doorknobs in the neighborhood. It's easier to just go find one of them one-click install suckers who lock the door then throw the key under the mat.
        I use limit log in too and get an ungodly amount of people trying to log in as admin. Of course, my user name isn't admin and they'd never guess in a million years what it is. I also use Bad Behavior with the setting to disallow proxies, so people using proxies can't visit my site.
        {{ DiscussionBoard.errors[7668143].message }}
        • Profile picture of the author so11
          Originally Posted by sbucciarel View Post

          I use limit log in too and get an ungodly amount of people trying to log in as admin. Of course, my user name isn't admin and they'd never guess in a million years what it is. I also use Bad Behavior with the setting to disallow proxies, so people using proxies can't visit my site.
          Hello Suzanne,

          blocking proxies might be effective, but you might be loosing a lion share of visitors. Many, many companies and corporate users use proxies. I'd probably have to say most of them...

          so11
          Signature
          www.groupesoloviev.com
          We help businesses manage cyber risk and compliance requirements.
          {{ DiscussionBoard.errors[7668804].message }}
          • Profile picture of the author garyisonline
            Originally Posted by so11 View Post

            Hello Suzanne,

            blocking proxies might be effective, but you might be loosing a lion share of visitors. Many, many companies and corporate users use proxies. I'd probably have to say most of them...

            so11
            No need to worry if you block public proxies...the ones published freely on every hack-a-long website. Most using those public proxies won't be bringing lollipops and happy thoughts to your website.

            Most corporate folks are going to be using private proxies, gateways and VPNs. But, those bored office workers who are using public proxies to tunnel out of the cubicle to check personal stuff, learn pretty quickly (or should anyway) how "safe and secure" that practice is.
            {{ DiscussionBoard.errors[7669390].message }}
  • Profile picture of the author mikehuff
    Damn Elmar, what's up with THAT sh*t??!

    That kills me, glad you had something in place to stop them from getting in. On the BRIGHT side, I'm following the link in your sig. I gotta see this blog
    {{ DiscussionBoard.errors[7667397].message }}
  • Profile picture of the author techbul
    [DELETED]
    {{ DiscussionBoard.errors[7667688].message }}
  • Profile picture of the author bapparabi
    Hi here is great wp plugin which i am using ..to Avert successful hacker attacks and enhance security
    WordPress Firewall Plugin
    {{ DiscussionBoard.errors[7668130].message }}
  • Profile picture of the author Mike Hersh
    Always backup your site! realized that it's the best tool against hackers after you secure your site.
    {{ DiscussionBoard.errors[7668212].message }}
  • There's a great kindle book about WordPress Security currently available for free on Amazon. I've just downloaded it and browsed through it, very informative, well worth a download - WordPress Security: Protection from Hackers and...WordPress Security: Protection from Hackers and...
    {{ DiscussionBoard.errors[7668289].message }}
  • Profile picture of the author troy23
    Excellent post

    Thanks
    {{ DiscussionBoard.errors[7668430].message }}
    • Profile picture of the author so11
      Hello Elmar,

      good for you. It is always best to be proactive!!!

      Although, brute force doesn't necessarily mean that they have tried only admin or Admin passwords. They've tried many simple combinations (usually dictionary words) that most people use.

      Another important measure to take (if possible) is to rename your Admin account. Most of automated attacks take place against Admin (named) account.

      good luck
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7668773].message }}
  • Thank you very much for the tips. I have been hacked several times. Will follow your tips.
    Signature

    {{ DiscussionBoard.errors[7668794].message }}
  • Profile picture of the author Kingfish85
    The plugin is good & works, but it "can" be exploited. The best solution would be to password protect the directory at the server level. This also gives you a 2nd layer a security with double authentication methods.
    {{ DiscussionBoard.errors[7668808].message }}
  • Profile picture of the author bhmseoservices
    Other than changing the initial username and plugins (which are great tips by the way!) -- there are other things you should do to protect your assets further.

    Create a task for yourself, every 15-30 days try to back up your files through your FTP and grab the latest database and put it somewhere safe.

    At the end of the day though if a good hacker wants to hack your site. They will hack it. All you can do is make sure your files are secure offline and so is your database.
    {{ DiscussionBoard.errors[7669436].message }}
  • Great post. Nice blog as well...
    {{ DiscussionBoard.errors[7669481].message }}
  • Profile picture of the author rankingconsult
    Good tip. I get daily emails of failed entries to my DS and these are invariably through the large community sites out there.

    Therefore, not just wordpress users should be aware of this, but also those using Joomla, Vbulletin, PHPBB, drupal, etc.
    Signature
    4Sale - IncomeScheme.com | eAdverts.com |
    MediAdverts.com | Medicals.info
    Got a video gaming site - Grab an Online Battle Script
    {{ DiscussionBoard.errors[7669590].message }}
  • Profile picture of the author cooler1
    Isn't it better to use the WordFence Security plugin instead of Limit Login Attempt as WFS also limits login attempts amongst other things.
    Signature

    {{ DiscussionBoard.errors[7670204].message }}
  • Profile picture of the author Bruce NewMedia
    I have also been using Bad Behavior set to disallow proxies, so people using proxies can't visit my sites. I think that has helped quite a bit. WP is great, but the security issues seem never-ending.
    _____
    Bruce
    {{ DiscussionBoard.errors[7670350].message }}
    • Profile picture of the author so11
      Originally Posted by Bruce NewMedia View Post

      I have also been using Bad Behavior set to disallow proxies, so people using proxies can't visit my sites. I think that has helped quite a bit. WP is great, but the security issues seem never-ending.
      _____
      Bruce
      Hello Bruce,

      security is not static, it is a state that needs to be achieved and maintained.

      The reason we have security issues is because we evolve and make constant changes... These changes create security vulnerabilities. That's why it is important to adopt good security practices, such as checkups, audits, quality assurance, etc.


      So11
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7670585].message }}
  • Profile picture of the author Ti
    The best way would be to add a .htaccess file which requires a pop-up username/password that is done from the web server itself.

    See here: Protect your WordPress site with .htaccess | Tutorial | .net magazine
    Signature

    Affiliates Wanted --> http://Pwnboxer.com <-- Promote to your MMORPG/World of Warcraft Niche
    Insanely Popular Software Lets You Play 5x WoW+ On 1 PC - 100% Legit Bliz Approves Multiboxing
    Current Affiliate Stats: June 4th 2011: EPC = $3.50, Conversions = 10.2%, $23.50/sale

    {{ DiscussionBoard.errors[7670601].message }}
    • Profile picture of the author Elmar
      Originally Posted by Ti View Post

      The best way would be to add a .htaccess file which requires a pop-up username/password that is done from the web server itself.

      See here: Protect your WordPress site with .htaccess | Tutorial | .net magazine
      This would only apply to the wp-admin page ?
      {{ DiscussionBoard.errors[7671745].message }}
      • Profile picture of the author bt
        Good post elmar, I don't know about wordpress but on a few websites I have had In the past, I would chmod the admin file to 0400 or even 0000 when not In use as an extra layer of security, then when you want to login to admin panel just change the admin file or folder back to 644 or 755
        {{ DiscussionBoard.errors[7672193].message }}
      • Profile picture of the author Ti
        Originally Posted by Elmar View Post

        This would only apply to the wp-admin page ?
        This applies to any page that you want to secure. The wp-admin is a good start.
        Signature

        Affiliates Wanted --> http://Pwnboxer.com <-- Promote to your MMORPG/World of Warcraft Niche
        Insanely Popular Software Lets You Play 5x WoW+ On 1 PC - 100% Legit Bliz Approves Multiboxing
        Current Affiliate Stats: June 4th 2011: EPC = $3.50, Conversions = 10.2%, $23.50/sale

        {{ DiscussionBoard.errors[7673661].message }}
  • Profile picture of the author TanYaV
    Hi! I know of some quite basic tips like not use admin as username and don't post from admin account. Here's some more advice on securing WordPress.
    Signature

    regards!

    {{ DiscussionBoard.errors[7714386].message }}

Trending Topics