My website under brute force attack

10 replies
  • SEO
  • |
My site is on wordpress and I am under major brute force attack. I tried pretty much everything to try and stop it, but the hackers seem to be very relentless and clever.

Thinks I've done:

I removed "admin" login user and changed it to a 100x more complicated username. I changed the password to something that extremely difficult.

Added -

Sucuri
Simple Firewall
Captcha + "Am I Human" tick box [both]

Settings:

I added a 300 second time-out period on failed first attempted login.
I removed default 'wp-admin' and 'wp-login' and changed it to a unique URL string that only I know.

And somehow the hackers are still trying relentlessly. I think they found my new (secret) URL login string. Only thing I can think to do now is make only my IP address capable of logging in.

Any suggestions?
#attack #brute #force #website
  • Profile picture of the author irawr
    Banned
    Originally Posted by gearmonkey View Post

    My site is on wordpress and I am under major brute force attack. I tried pretty much everything to try and stop it, but the hackers seem to be very relentless and clever.

    Thinks I've done:

    I removed "admin" login user and changed it to a 100x more complicated username. I changed the password to something that extremely difficult.

    Added -

    Sucuri
    Simple Firewall
    Captcha + "Am I Human" tick box [both]

    Settings:

    I added a 300 second time-out period on failed first attempted login.
    I removed default 'wp-admin' and 'wp-login' and changed it to a unique URL string that only I know.

    And somehow the hackers are still trying relentlessly. I think they found my new (secret) URL login string. Only thing I can think to do now is make only my IP address capable of logging in.

    Any suggestions?
    Doesn't sound like they're going to get in. I wouldn't be too worried. If they're trying the wrong user name it's pointless.
    {{ DiscussionBoard.errors[10582630].message }}
  • Profile picture of the author Tim3
    Have you traced and banned all the IP's they are using via .htaccess?

    Either do it manually or try the simple IP ban plugin for a quick fix, also allows you to redirect to a site of your choice. :-)
    Signature

    {{ DiscussionBoard.errors[10582670].message }}
    • Profile picture of the author Jill Carpenter
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[10582690].message }}
      • Profile picture of the author gearmonkey
        Originally Posted by Tim3 View Post

        Have you traced and banned all the IP's they are using via .htaccess?

        Either do it manually or try the simple IP ban plugin for a quick fix, also allows you to redirect to a site of your choice. :-)
        I tried but the hackers are burning through 1000s of IPs per day.

        Originally Posted by Jill Carpenter View Post

        I will check that out. I am using simple firewall right now along with other security plugins. I don't think they'll get in, but it is incredibly annoying they aren't giving up after all these measures in place.
        Signature

        My Guitar Website | My SEO Blog - Advertising spots available.

        {{ DiscussionBoard.errors[10582763].message }}
        • Profile picture of the author Tim3
          Originally Posted by gearmonkey View Post

          I tried but the hackers are burning through 1000s of IPs per day.
          They must be rich!
          Are the IP's from 1 or 2 countries?
          You could try banning those country's IP's, at least temporarily, there are several sites that give you lists like this one:
          NirSoft - freeware utilities: password recovery, system utilities, desktop utilities/countryip

          Also try the Bad Behavior plugin, which you can use to ban all sites trying to access via a proxy.

          As a last ditch thing, assuming you will not lose too much money, install a 503 maintenance plugin on your site for a while, that will prevent access from everything, including SE crawlers.
          Signature

          {{ DiscussionBoard.errors[10584202].message }}
  • Profile picture of the author yukon
    Banned
    I've wrote a Windows desktop app that changes a Wordpress admin password without using a browser.

    I've thought about making the app. use a rolling password that's constantly changing from a list of passwords that's automatically generated. Whenever I want to login to a Wordpress admin just pause the desktop app & copy/paste the latest password into the Wordpress admin login.

    This could even handle unlimited Wordpress sites on unlimited host all from one desktop app.
    {{ DiscussionBoard.errors[10584769].message }}
  • Profile picture of the author vic1
    I have sites that get hammered constantly.
    I use either protection from JetPack or Limit Log in attempts and strong passwords.
    They never get in, it was annoying, now I don't pay attention anymore.
    {{ DiscussionBoard.errors[10585790].message }}
  • Profile picture of the author Project Sniper
    You shouls always follow Edward Snodens advice. Any hacker will tell you this.
    - Passwords should never be randomly generated. Those are the easiest to break, especially if you have a cracker.

    example

    ThisIsMyWaoiorrFuromPassWordAndShiaLeboofIsTheOnly FishThatCanBreath

    Is should be around that length and make no sense
    {{ DiscussionBoard.errors[10585819].message }}
    • Profile picture of the author nettiapina
      Install iThemes Security, and change the login URL. This just might drop the login attempts to near zero. This is not possible in all scenarios, but if you're running a simple site it's probably ok.

      These botmasters are inherently lazy *******s, and it's very unlikely that they're specifically targeting your site.

      Originally Posted by Tim3 View Post

      They must be rich!
      Not really. They're got a botnet of desktop machines and improperly secured VPSes. Someone else is paying the bill. Although I'm pretty sure that the career criminals are not operating on a budget either.

      Originally Posted by Project Sniper View Post

      Is should be around that length and make no sense
      I'd recommend using 1Password or one of the other password safes, and use that software to generate your passwords.
      Signature
      Links in signature will not help your SEO. Not on this site, and not on any other forum.
      Who told me this? An ex Google web spam engineer.

      What's your excuse?
      {{ DiscussionBoard.errors[10585972].message }}
  • Profile picture of the author RaviKumar1
    Hi,

    I think this attack related to sql injunction, it was happening from server side, you can not secure form wordpress admin panel, please ask to your hosting providers to secure your server form sim link attacks, upload all htaccess files under public_html, wp-admin, wp-content ,and
    Prevent script injection, Protect WordPress Admin Files,Secure wp-config.php,Protect your .htaccess, Change Table Prefix
    {{ DiscussionBoard.errors[10587884].message }}

Trending Topics