[ WordPress attack - protect your websites ]

12 replies
  • SEO
  • |
Not sure why this is not discussed here... there are on-going WordPress attacks, so please protect/backup your WP sites. Some of my sites "almost" got attacked today. I panicked a bit.

the last thing i want to see is people crying because their businesses we destroyed... but this time, not because of Google, but a WordPress attack hahaha.

Some sources:

Protecting Against WordPress Brute-Force Attacks | Sucuri Blog
#attack #protect #websites #wordpress
  • Profile picture of the author RobinInTexas
    There are attacks of various types that have recently picked up the pace.

    Probably the best thing for wordpress is bulletproof security

    You might also check out this thread http://www.warriorforum.com/main-int...-heads-up.html
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[7966549].message }}
  • Profile picture of the author ilee
    If people are serious about their business, and if the business is so important to them, they should have a good enough backing up system to act as a stop guard for anything too vicious. As for my wordpress sites, I've still yet to have any of my sites hacked. I keep everything up to date, and make backups at least every week.
    Signature
    --~***~--


    --~***~--
    {{ DiscussionBoard.errors[7966698].message }}
  • Profile picture of the author micksss
    It's a good idea to at least have a plugin in place to limit failed login attempts like Simple Login Lockdown.
    Signature
    Web Hosting Reviews ► www.CastironHosting.com ◄ Read or Submit Feedback on Web Hosts.
    Web Hosting Coupons, Deals & Promos!

    Need a Virtual Private Server? www.VPSPlan.com
    {{ DiscussionBoard.errors[7967044].message }}
    • Profile picture of the author aliendrummer
      Originally Posted by micksss View Post

      It's a good idea to at least have a plugin in place to limit failed login attempts like Simple Login Lockdown.
      Agreed, its a simple 5 second plugin download that can save you lots of heartache.

      Oh and BACK THAT UP! That is, your site occasionally

      Also for the NEWBS, be sure to get rid of you ADMIN user, and make another.
      Signature

      {{ DiscussionBoard.errors[7967568].message }}
      • Profile picture of the author yukon
        Banned
        Originally Posted by aliendrummer View Post

        Agreed, its a simple 5 second plugin download that can save you lots of heartache.

        Oh and BACK THAT UP! That is, your site occasionally

        Also for the NEWBS, be sure to get rid of you ADMIN user, and make another.
        Changing the default Admin user name isn't going to do anything.

        If someone wants a list of Admin. users all they have to do is look at the WP-feed for the names (hxxp://domain.com/feed/). They would still have to crack the password, either way.

        The WP-feed shows the WP install version # & all the user names.
        {{ DiscussionBoard.errors[7967601].message }}
        • Profile picture of the author RobinInTexas
          Originally Posted by yukon View Post

          Changing the default Admin user name isn't going to do anything.

          If someone wants a list of Admin. users all they have to do is look at the WP-feed for the names (hxxp://domain.com/feed/). They would still have to crack the password, either way.

          The WP-feed shows the WP install version # & all the user names.
          That is not correct, the feed displays what is selected as "Display name publicly as" under user profile.

          What is displayed is the "public name" of the author of each post, which may only be a contributor or the ID may even no longer have contributor rights on the blog.

          If you go to one of my sites it would take you a century or so just to come up with the admin user login name I use which is somewhere between 8 and 11 random characters and looks something like this "x525t2o2rr8"
          the actual password is also longer and includes symbols.
          Just for grins on some blogs I use a display name of Admin. An IP will have 1 chance to attempt a password before being locked out for 60 days by Wordfence options
          which include
          • Immediately lock out invalid usernames
          • Don't let WordPress reveal valid users in login errors

          Impossible for an online brute force attack to crack it.

          https://www.grc.com/haystack.htm
          Signature

          Robin



          ...Even if you're on the right track, you'll get run over if you just set there.
          {{ DiscussionBoard.errors[7976742].message }}
  • Profile picture of the author ronrule
    Cloudflare identified the attackers early on, if your site is protected by CF you're fine.
    Signature

    -
    Ron Rule
    http://ronrule.com

    {{ DiscussionBoard.errors[7967570].message }}
    • Profile picture of the author yukon
      Banned
      Originally Posted by ronrule View Post

      Cloudflare identified the attackers early on, if your site is protected by CF you're fine.
      So I guess cloudfare (whatever that is) knew people were trying to get into Wordpress Admin. accounts back in 2003 when Wordpress first started up?


      Not sure why people freak out about things like this, keep the CMS updated, no big deal. It takes a couple of clicks to update WP, what's that 2 seconds out of a persons life every 3-4 months?
      {{ DiscussionBoard.errors[7967609].message }}
  • Profile picture of the author webby0031
    [DELETED]
    {{ DiscussionBoard.errors[7967652].message }}
    • Profile picture of the author webby0031
      Originally Posted by yukon View Post

      If someone wants a list of Admin. users all they have to do is look at the WP-feed for the names (hxxp://domain.com/feed/). They would still have to crack the password, either way.

      The WP-feed shows the WP install version # & all the user names.
      Hi all install this plugin, it will sort the lot and block the feed mentioned above

      WordPress › Better WP Security « WordPress Plugins
      {{ DiscussionBoard.errors[7967656].message }}
      • Profile picture of the author yukon
        Banned
        Originally Posted by webby0031 View Post

        Hi all install this plugin, it will sort the lot and block the feed mentioned above

        WordPress › Better WP Security « WordPress Plugins
        I still got that plugin developers WP user name from his feed on his own site.

        <dc:creator>Chris Wiegman</dc:creator>
        All I did is view the source code of the Feedburner redirect he did, lol. He hides the name on the live web page & the Feedburner feed, but the name is still in the Feedburner source code.

        Just saying...
        {{ DiscussionBoard.errors[7967816].message }}
  • Profile picture of the author howto
    I just have a strong and long password for my Wordpress as well as captcha for my log in page. I figure at least people will need to pay for a captcha solving service or something to do brute force attacks.
    {{ DiscussionBoard.errors[7967695].message }}
  • Profile picture of the author nik0
    Banned
    Lol, I had pretty obvious passwords for my sites, no not "seoservicegroup" but a hackbot that tries 100,000's of different passwords it would've been a somewhat easy guess. None of my sites is hacked though out of 400+ sites so I think this whole story is pretty exaggarated.

    Sure hosters were under DDOS attacks but I have sites at 40-50 different hosting companies, I would at least expect one to be hacked if it was really aimed at WP users.
    {{ DiscussionBoard.errors[7967751].message }}

Trending Topics