Wordpress constantly getting hacked

If you are not using the admin user then you should be OK no ? Maybe I am missing something.

Simply setup another user with admin permissions and you'll be OK,at least it will avoid issues if the actual admin gets locked out.

i would suggest you Better WP Security plugin. this plugin is more easy to use and more trusted. personally i also use better wp security plugin for my sites

Try Better WP Security. at least that's what I have used with some degree of success

You are saying you don't use admin as the username for your admin account, yet someone still knows your new admin username account and then logins in and you also get locked out because of too many failed login attempts?

Well in that case, change username (yes there are plugins that enable username change), or create a new admin account.

And also like others suggested, use a better security plugin, one that doesn't block the admin account, but rather logs the IPs of the hackers and blocks those.

wordpress installations are getting hacked on a regular basis, its a big problem, I use a number of security products, some I had created just so I could sleep at night.

I have not had a problem with hacked wordpress since I started doing three things.

1. install wordpress the correct way, (you can find plenty of resources online about this issue) starting with wordpress.org

2. Use a quality wordpress security product.

3. Keep a backup...

The truth is nothing can be made 100% secure, however you can stop a lot of the problems that many wordpress operators face every day.

I was getting hacked a lot regardless of what plugin or username / password I chose.
This is how I put an end to it.

I FTP'd to my site and downloaded the index.php file from the wp-admin folder.
I then uploaded a fake index.php to this folder, now nobody can even attempt to login.

When I need to login I just FTP the original index file and login then upload the fake when done. Might seem like a hassle but its easier and quicker than reinstalling a backup and checking for any malicious code.

You're NEVER 100% safe online from hackers and as others have mentioned, Better WordPress Security is great but I've always used Acunetic WP Security. I suggest giving them a try to see which one works best for you. Good luck!

try moving servers, if that is an option for you.
we recently moved to Amazon Web Services using EC2 w an RDS database.
super fast and secure.

Update your wordpress website to the latest version. And have your webhost manager check your account for any virus, then confirm if the server is already hacked by any tools or small scripts. Usually, hackers will inject small codes to your site like scripts or few lines of codes. This will allow them to access and download all your myphp database and therefore hack your website. so be careful.

If you're constantly dealing with this problem, try moving to another hosting provider. Even today, there are plenty of hosts that operate insecure servers, or are just known easy targets. So even if you do all the common extra steps to secure WP, you can still have issues from within.

You can use FTP to view your site directory and look for files or folders recently created by sorting by date descending. See if anything stands out... with random names, letters, etc... just in case you do have a malicious script in the directory. You can also ask the host to run scans for these, too.

Make sure your theme and plugins are updated. Check to see when they were last updated, too, because even if they're latest version, can be old and contain security issues.

If it is only you who visits the admin area, you may want to try using directory protection on /wp-admin or use htaccess to limit access to just your IP.

And definitely try some of the extra security plugins.

Good luck!

I use Wordfence security, I have it set so that the IP of one failed login attempt is locked out for 60 days.

Furthermore, it will scan your site on a daily basis to look for malicious code or changed files.

I don't find it necessary, but you could add either Bulletproof Security OR Better WP Security. I wouldn't use both, because they both do pretty much the same thing.

If you have been hacked, I would suggest running one scan using WordPress › Anti-Malware (Get Off Malicious Scripts) « WordPress Plugins as it sometimes finds things others miss.

I wouldn't suggest manually using FTP to look for changes, as it's difficult to see anything. The file date is meaningless, as it can easily be manipulated to match all the files around it.

If you are on a shared server, a hacker can insert backdoors on other sites on your account and either add malware to them or use the backdoor to return to the original site.

Every once in a while we experienced getting hacked, so it is very much important to have a backup of your website. Several hosts offers site backup restore add-on service, its a very good investment for your business.

This is a very common problem and one I have experienced first hand. Last summer I had 4 WordPress sites on the same server all hacked at the same time by the same hacker.

From the e-mails you're getting, it sounds like someone is trying to mount a “brute force” attack on your site. This is where hackers use “bots” to run through combinations of usernames and passwords to try and gain access to your dashboard. Most often this is done using a script running on a hijacked website.

Go through your site's Raw Data Log (you download it from within Cpanel) and note the IP addresses where people are trying to gain access to wp-admin.php. You can then blacklist them.

backup everything

wordpress has lots of security holes sadly but true

its the #cms and hackers understand its structure and weaknesses

also switch hosting they are just as much responsible

good luck

Ed

I know this sounds obvious, but, make sure "Settings/Membership/Anyone can register" is NOT checked off. I think by default on new installs it is. And definitely back up files

Hi gwpmike

I think I can help you out with that as I have gone through hacking experience that resulted my website completely deleted !!!

So , The Solution is as follows :
1.Install All In One WP Security Plugin.
2.Install Anti-spam Plugin.
3.Install iThemes Security Plugin.
4.Wordfence Security.

Forget about hackers and enjoy...

- Oliver

Your security plugin should have a backdoor of some sort. Where it can lockout any IP address except the ones you say are okay.

I have sites hosted at Hostgator and Namecheap hosting and both have sent me notice of attempts to hack into my sites the IP address at Hostgator was in the Russian Federation.

They got inside and messed up several site, according to Hostgator whom I trust about as far as I can throw them so to speak.

I have never understood what pleasure the people get from hacking somebodies web site just the fun of doing it I suppose.

I just started using Wordfence on a few sites but I will install some of the plugin suggested here.

Both have told me to change my Cpanel login which I will do but somehow they figured out the last one so why bother.

Try Fail2Ban, it's not as easy as a plugin install but very efficient in preventing malicious IP from trying to access your server.

I use Wordfence wp plugin which does multiple things including scanning and checking changes to your plugin files.
I used to to get loads of notifications of failed login attempts too, and then someone recommended a free wp plugin called Bruteprotect which blocks out the ips of known hackers/bots. This has cut down the number of login attempts dramatically on my sites.