Wordpress constantly getting hacked

26 replies
So I have a good username (not "admin") and a good password and have changed the wp-admin permalink to something different. I have also installed BPS (bulletproof security) plugin. However, I get emails from people constantly trying to login to my blog using my admin username and trying different passwords. Secondly, when people try to do this, the plugin locks everybody out from trying to log in with the admin username, meaning I can't even login. What should I do? Help!
#constantly #hacked #wordpress
  • Profile picture of the author Paul Langham
    If you are not using the admin user then you should be OK no ? Maybe I am missing something.

    Simply setup another user with admin permissions and you'll be OK,at least it will avoid issues if the actual admin gets locked out.
    {{ DiscussionBoard.errors[9019236].message }}
  • Profile picture of the author khurramjamil
    i would suggest you Better WP Security plugin. this plugin is more easy to use and more trusted. personally i also use better wp security plugin for my sites
    {{ DiscussionBoard.errors[9019248].message }}
    • Profile picture of the author AffiliateWaves
      These days WordPress hackers are on high ,they are attacking many websites and i don't know why they do that

      I got message that someone attacked my client's website and deleted all stuff, i am working on those websites for last 3 months
      Signature

      Need high Quality Expired domains click here to see now

      {{ DiscussionBoard.errors[9019269].message }}
  • Profile picture of the author joekoffi
    Try Better WP Security. at least that's what I have used with some degree of success
    Signature
    Affiliate Marketing For Bloggers, Revealing unknown killer Affiliate Marketing tricks for Bloggers. Special Discount: WF17
    {{ DiscussionBoard.errors[9019260].message }}
  • Profile picture of the author K Meier
    Originally Posted by gwpmike View Post

    So I have a good username (not "admin") and a good password and have changed the wp-admin permalink to something different. I have also installed BPS (bulletproof security) plugin. However, I get emails from people constantly trying to login to my blog using my admin username and trying different passwords. Secondly, when people try to do this, the plugin locks everybody out from trying to log in with the admin username, meaning I can't even login. What should I do? Help!
    You are saying you don't use admin as the username for your admin account, yet someone still knows your new admin username account and then logins in and you also get locked out because of too many failed login attempts?

    Well in that case, change username (yes there are plugins that enable username change), or create a new admin account.

    And also like others suggested, use a better security plugin, one that doesn't block the admin account, but rather logs the IPs of the hackers and blocks those.
    {{ DiscussionBoard.errors[9019306].message }}
  • Profile picture of the author Tim Franklin
    wordpress installations are getting hacked on a regular basis, its a big problem, I use a number of security products, some I had created just so I could sleep at night.

    I have not had a problem with hacked wordpress since I started doing three things.

    1. install wordpress the correct way, (you can find plenty of resources online about this issue) starting with wordpress.org

    2. Use a quality wordpress security product.

    3. Keep a backup...

    The truth is nothing can be made 100% secure, however you can stop a lot of the problems that many wordpress operators face every day.
    Signature
    Software Development | Applications | OSX | iOS | Android | Cloud Software Engineering |
    {{ DiscussionBoard.errors[9019319].message }}
    • Profile picture of the author igorGriffiths
      As others have mentioned use Better WordPress Security, it has a great walkthrough system for making your site more secure, note I said more secure.

      Your site will never be truly secure as its unlikely to withstand a non automated attack by a dedicated hacker but unless you are doing something amazing on your site, its more likely you will be targeted by hack bots which probe with the WordPress default settings like the admin user.
      {{ DiscussionBoard.errors[9019380].message }}
  • Profile picture of the author Valdor Kiebach
    I was getting hacked a lot regardless of what plugin or username / password I chose.
    This is how I put an end to it.

    I FTP'd to my site and downloaded the index.php file from the wp-admin folder.
    I then uploaded a fake index.php to this folder, now nobody can even attempt to login.

    When I need to login I just FTP the original index file and login then upload the fake when done. Might seem like a hassle but its easier and quicker than reinstalling a backup and checking for any malicious code.
    {{ DiscussionBoard.errors[9019460].message }}
  • Profile picture of the author excelatebiz
    You're NEVER 100% safe online from hackers and as others have mentioned, Better WordPress Security is great but I've always used Acunetic WP Security. I suggest giving them a try to see which one works best for you. Good luck!
    {{ DiscussionBoard.errors[9019513].message }}
  • Profile picture of the author itsysparks
    try moving servers, if that is an option for you.
    we recently moved to Amazon Web Services using EC2 w an RDS database.
    super fast and secure.
    {{ DiscussionBoard.errors[9019515].message }}
  • Profile picture of the author wapi
    Update your wordpress website to the latest version. And have your webhost manager check your account for any virus, then confirm if the server is already hacked by any tools or small scripts. Usually, hackers will inject small codes to your site like scripts or few lines of codes. This will allow them to access and download all your myphp database and therefore hack your website. so be careful.
    Signature

    In order to succeed, your desire for success should be greater than your fear of failure.
    CouponStock.net

    {{ DiscussionBoard.errors[9019527].message }}
  • Profile picture of the author ABN
    If you're constantly dealing with this problem, try moving to another hosting provider. Even today, there are plenty of hosts that operate insecure servers, or are just known easy targets. So even if you do all the common extra steps to secure WP, you can still have issues from within.

    You can use FTP to view your site directory and look for files or folders recently created by sorting by date descending. See if anything stands out... with random names, letters, etc... just in case you do have a malicious script in the directory. You can also ask the host to run scans for these, too.

    Make sure your theme and plugins are updated. Check to see when they were last updated, too, because even if they're latest version, can be old and contain security issues.

    If it is only you who visits the admin area, you may want to try using directory protection on /wp-admin or use htaccess to limit access to just your IP.

    And definitely try some of the extra security plugins.

    Good luck!
    {{ DiscussionBoard.errors[9021575].message }}
  • Profile picture of the author RobinInTexas
    I use Wordfence security, I have it set so that the IP of one failed login attempt is locked out for 60 days.

    Furthermore, it will scan your site on a daily basis to look for malicious code or changed files.

    I don't find it necessary, but you could add either Bulletproof Security OR Better WP Security. I wouldn't use both, because they both do pretty much the same thing.

    If you have been hacked, I would suggest running one scan using WordPress › Anti-Malware (Get Off Malicious Scripts) « WordPress Plugins as it sometimes finds things others miss.

    I wouldn't suggest manually using FTP to look for changes, as it's difficult to see anything. The file date is meaningless, as it can easily be manipulated to match all the files around it.

    If you are on a shared server, a hacker can insert backdoors on other sites on your account and either add malware to them or use the backdoor to return to the original site.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[9021623].message }}
  • Profile picture of the author Vincent Abrugar
    Every once in a while we experienced getting hacked, so it is very much important to have a backup of your website. Several hosts offers site backup restore add-on service, its a very good investment for your business.
    {{ DiscussionBoard.errors[9022276].message }}
  • Profile picture of the author spearce000
    This is a very common problem and one I have experienced first hand. Last summer I had 4 WordPress sites on the same server all hacked at the same time by the same hacker.

    From the e-mails you're getting, it sounds like someone is trying to mount a “brute force” attack on your site. This is where hackers use “bots” to run through combinations of usernames and passwords to try and gain access to your dashboard. Most often this is done using a script running on a hijacked website.

    Go through your site's Raw Data Log (you download it from within Cpanel) and note the IP addresses where people are trying to gain access to wp-admin.php. You can then blacklist them.
    {{ DiscussionBoard.errors[9097680].message }}
  • Profile picture of the author sparrow
    backup everything

    wordpress has lots of security holes sadly but true

    its the #cms and hackers understand its structure and weaknesses

    also switch hosting they are just as much responsible

    good luck

    Ed
    {{ DiscussionBoard.errors[9097744].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by sparrow View Post

      backup everything

      wordpress has lots of security holes sadly but true

      its the #cms and hackers understand its structure and weaknesses

      also switch hosting they are just as much responsible

      good luck

      Ed
      How so? 99% of compromised Wordpress sites are due to themes & plugins. While I agree some hosting providers are careless about security, most of the time it's not related to the provider, but the website itself.
      {{ DiscussionBoard.errors[9098185].message }}
  • Profile picture of the author johnweyer
    I know this sounds obvious, but, make sure "Settings/Membership/Anyone can register" is NOT checked off. I think by default on new installs it is. And definitely back up files
    Signature

    If I was making 6 figures why the heck would I need your $17

    {{ DiscussionBoard.errors[9098248].message }}
  • Profile picture of the author Omar White
    Hi gwpmike

    I think I can help you out with that as I have gone through hacking experience that resulted my website completely deleted !!!

    So , The Solution is as follows :
    1.Install All In One WP Security Plugin.
    2.Install Anti-spam Plugin.
    3.Install iThemes Security Plugin.
    4.Wordfence Security.

    Forget about hackers and enjoy...

    - Oliver
    Signature

    Resource Blog for Beginner Entrepreneurs - OmarWhite.com

    {{ DiscussionBoard.errors[9098653].message }}
  • Profile picture of the author tyronne78
    Your security plugin should have a backdoor of some sort. Where it can lockout any IP address except the ones you say are okay.
    {{ DiscussionBoard.errors[9099082].message }}
    • Profile picture of the author vikash_kumar
      Originally Posted by tyronne78 View Post

      Your security plugin should have a backdoor of some sort. Where it can lockout any IP address except the ones you say are okay.
      I agree with tyronne, You need to whitelist your own IP address to ensure your own login into the WordPress Dashboard without any issue.
      {{ DiscussionBoard.errors[9099969].message }}
      • Profile picture of the author Wayne
        When you create your username other than admin, you should also create a nickname for it and display your name publicly as your nickname. Otherwise, if your posts show the author in the meta details, then everyone will know your username anyway.
        {{ DiscussionBoard.errors[9100153].message }}
        • Profile picture of the author RobinInTexas
          Originally Posted by Wayne View Post

          When you create your username other than admin, you should also create a nickname for it and display your name publicly as your nickname. Otherwise, if your posts show the author in the meta details, then everyone will know your username anyway.
          That doesn't work. WordPress uses the login name for the author archive, so the name is publicly visible. A strong password is impossible to crack online using brute force methods.
          Signature

          Robin



          ...Even if you're on the right track, you'll get run over if you just set there.
          {{ DiscussionBoard.errors[9101601].message }}
  • Profile picture of the author JChilds
    I have sites hosted at Hostgator and Namecheap hosting and both have sent me notice of attempts to hack into my sites the IP address at Hostgator was in the Russian Federation.

    They got inside and messed up several site, according to Hostgator whom I trust about as far as I can throw them so to speak.

    I have never understood what pleasure the people get from hacking somebodies web site just the fun of doing it I suppose.

    I just started using Wordfence on a few sites but I will install some of the plugin suggested here.

    Both have told me to change my Cpanel login which I will do but somehow they figured out the last one so why bother.
    {{ DiscussionBoard.errors[9099126].message }}
  • Profile picture of the author garmahis
    Try Fail2Ban, it's not as easy as a plugin install but very efficient in preventing malicious IP from trying to access your server.
    {{ DiscussionBoard.errors[9100578].message }}
  • Profile picture of the author Amelle
    I use Wordfence wp plugin which does multiple things including scanning and checking changes to your plugin files.
    I used to to get loads of notifications of failed login attempts too, and then someone recommended a free wp plugin called Bruteprotect which blocks out the ips of known hackers/bots. This has cut down the number of login attempts dramatically on my sites.
    {{ DiscussionBoard.errors[9100834].message }}

Trending Topics