What to do about attacks on a WordPress site?

by DJL
25 replies
  • WEB DESIGN
  • |
One of my WordPress sites, for reasons that escape me, has attracted the attention of some creep who is trying what I guess is a brute force attempt to log in with the username 'admin'.

On a typical day, I have seen 50 to 100 login attempts from a variety of IP addresses, all of which are blocked very effectively by the Wordfence security plugin. I never use the 'admin' username in WordPress, and I always use very strong passwords.

Most likely, the miscreant has infected a bunch of computers with malware that is generating all of these login attempts, and the owners of these computers have no idea what is going on; or, it may be that he is running through a list of proxies, and thus the attempts appear to originate from differing IP addresses.

The website receiving these attacks is of no importance to me, but it is on a shared hosting account where I do have some important assets. So far, none of my other sites has been attacked in this manner.

My question is: should I just ignore this idiot, or is there anything I could do to annoy or discomfit him in some way?
#attacks #site #wordpress
  • Profile picture of the author Istvan Horvath
    According to its author (and many users) this plugin stops such attacks: WordPress › Bad Behavior « WordPress Plugins
    Signature

    {{ DiscussionBoard.errors[8272711].message }}
    • Profile picture of the author DJL
      Originally Posted by Istvan Horvath View Post

      According to its author (and many users) this plugin stops such attacks: WordPress › Bad Behavior « WordPress Plugins
      Thanks for the recommendation. I will give this a try and see how it goes.
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8272755].message }}
  • Profile picture of the author Kingfish85
    Password protect the wp-admin directory. You could also check the access logs and add the IP to the IP deny option from within cPanel.

    EDIT: Password protecting the directory would also give you an added layer of security.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[8272764].message }}
    • Profile picture of the author DJL
      I will implement your first suggestion, as it makes sense to put multiple layers of obstacles in the way of the attacker.
      The IP deny option, I think, would be impracticable in this case, because there are often dozens of them being logged within any given hour.

      Originally Posted by Kingfish85 View Post

      Password protect the wp-admin directory. You could also check the access logs and add the IP to the IP deny option from within cPanel.

      EDIT: Password protecting the directory would also give you an added layer of security.
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8272791].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by DJL View Post

        I will implement your first suggestion, as it makes sense to put multiple layers of obstacles in the way of the attacker.
        The IP deny option, I think, would be impracticable in this case, because there are often dozens of them being logged within any given hour.
        Yea, the first option would certainly be the best. As you've said, the IP deny manager would be a constant battle since the IP's are always different.
        Signature

        |~| VeeroTech Hosting - sales @ veerotech.net
        |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
        |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
        |~| Visit us @veerotech Facebook - Twitter - LinkedIn

        {{ DiscussionBoard.errors[8272828].message }}
  • Profile picture of the author Dee Syed
    Bad Behavior is definitely the one I'd look at for this job.

    Also take a look at the Plugin Better WP Security which easily allows you to change elements like wp_ table prefixes, default admin IDs and generally hide WordPress-related information from your site. The idea being to mask as much as possible the fact that your site is WordPress powered. As with ALL such plugins that work on the database level, you should take a backup of your files first!

    Dee
    Signature
    There's only one thing we do and we do it well! Talk to us about your next WordPress project and let us make it happen. Our clients have been featured on the BBC and generate income running into six figures!
    {{ DiscussionBoard.errors[8273038].message }}
    • Profile picture of the author DJL
      Thanks, I will take a look at Better WP Security.
      As a matter of course, I always change the wp_ table prefix when first creating a site, and set it up with an obscure username and strong password.

      I am meticulous about backups, too, and even have multiple copies of each backup on separate devices.
      Originally Posted by Dee Syed View Post

      Bad Behavior is definitely the one I'd look at for this job.

      Also take a look at the Plugin Better WP Security which easily allows you to change elements like wp_ table prefixes, default admin IDs and generally hide WordPress-related information from your site. The idea being to mask as much as possible the fact that your site is WordPress powered. As with ALL such plugins that work on the database level, you should take a backup of your files first!

      Dee
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8275566].message }}
  • Profile picture of the author iqbal
    in my opinion have an extremely unbreakable user name and password consist of alpha-numeric and symbols such a £$^&%@~ etc
    password protect WP-admin and use plugin to rename loin.php and remove direct access to login.php
    {{ DiscussionBoard.errors[8274097].message }}
    • Profile picture of the author DJL
      1. Yes, that is exactly what I do: usernames & passwords are always obscured. I use AceBIT Password Depot to generate random character strings for these, and also for folder names.
      2. Yesterday I tried to use the cPanel feature to password-protect the wp-admin folder, and then could not log in. There must be some rule about usernames or passwords that I violated, so I plan to follow up on that with my hosting service's tech support.
      3. Please elaborate on "remove direct access to login.php." How, exactly, does one do that?
      Originally Posted by iqbal View Post

      in my opinion have an extremely unbreakable user name and password consist of alpha-numeric and symbols such a £$^&%@~ etc
      password protect WP-admin and use plugin to rename loin.php and remove direct access to login.php
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8275595].message }}
  • Profile picture of the author JonBird
    Istvan's recommendation "Bad Behavior" is worth trying although it does have mixed reviews.
    Blocking individual IPs is a real pain and they can be changed so easily... so it's as you mentioned.. impractical.

    I have used plugins that limited login attempts and whitelisted certain IPs that worked well. But even with those he/she could still try day after day to hack in.

    So, if the main problem is the multiple login attempts a day by this idiot... then how about hiding the login page? I haven't tried it personally.. but it looks like it would do the job.

    Here's the link to one I found: WordPress Stealth Login Plugin for Custom Login

    I am sure there are others too.

    Hope this helps.
    {{ DiscussionBoard.errors[8274768].message }}
    • Profile picture of the author awddude
      More often than not, a free WordPress theme or free plugin that you use is being exploited. This is very common so I seldom use free themes or plugins.

      One of the easiest measures to take is to remove the footer "Created by Wordpress" as people use this text to compile lists of possible sites to attack.

      You can hire security specialists on freelancer.com that will restore your site and secure it for as little as $50.

      Good luck
      {{ DiscussionBoard.errors[8275174].message }}
      • Profile picture of the author RobinInTexas
        Originally Posted by awddude View Post

        More often than not, a free WordPress theme or free plugin that you use is being exploited. This is very common so I seldom use free themes or plugins.

        One of the easiest measures to take is to remove the footer "Created by Wordpress" as people use this text to compile lists of possible sites to attack.
        The more common and popular free themes have thousands of users and if there is a vulnerability, it will be discovered quickly and fixed, or the word will get out on the WordPress.org site quickly. That is not always the case on a paid theme which, in some cases is outsourced and is poorly written, put together to make a quick buck.

        Identifying a site as a wordpress has a minimal impact on attempts to log in. I have had non-wordpress sites that logged hundreds of attempts to access the non-existent wp-login.php file.
        Signature

        Robin



        ...Even if you're on the right track, you'll get run over if you just set there.
        {{ DiscussionBoard.errors[8275265].message }}
        • Profile picture of the author DJL
          My own experience leads me to agree with what you say.
          I have purchased themes that were poorly supported, and that contained obfuscated code that gave me "the willies."
          I almost always have to create a child theme to achieve the look and feel that I prefer, but change as little as possible, and I am very parsimonious in my use of plugins.
          Originally Posted by RobinInTexas View Post

          The more common and popular free themes have thousands of users and if there is a vulnerability, it will be discovered quickly and fixed, or the word will get out on the WordPress.org site quickly. That is not always the case on a paid theme which, in some cases is outsourced and is poorly written, put together to make a quick buck.

          Identifying a site as a wordpress has a minimal impact on attempts to log in. I have had non-wordpress sites that logged hundreds of attempts to access the non-existent wp-login.php file.
          Signature

          None are more hopelessly enslaved than those who falsely believe they are free.
          --Johann Wolfgang von Goethe, Elective Affinities (1809)

          {{ DiscussionBoard.errors[8275718].message }}
      • Profile picture of the author DJL
        1. This particular site is using the TwentyTen theme. It's not important enough to warrant a paid theme, but there is no visible mention of WordPress on the site. I have not delved into this subject yet, but I think it's likely that ANY WordPress site, regardless of theme or plugins, has some degree of "footprint" that would reveal its nature to those who know how to look for such things.
        2. Perhaps I am wrong, but I believe the themes and plugins listed on WordPress.org, particularly those that have been around for some time and have been reviewed and rated by many users, are safer than the "latest and greatest" that are sold elsewhere.
        3. None of my sites has ever been successfully hacked, but I am well prepared with backups in case it should ever happen. Mostly, I am looking for ways to lock the barn door before the horse is stolen, and I appreciate the many valuable tips I have received in this thread.
        Originally Posted by awddude View Post

        More often than not, a free WordPress theme or free plugin that you use is being exploited. This is very common so I seldom use free themes or plugins.

        One of the easiest measures to take is to remove the footer "Created by Wordpress" as people use this text to compile lists of possible sites to attack.

        You can hire security specialists on freelancer.com that will restore your site and secure it for as little as $50.

        Good luck
        Signature

        None are more hopelessly enslaved than those who falsely believe they are free.
        --Johann Wolfgang von Goethe, Elective Affinities (1809)

        {{ DiscussionBoard.errors[8275699].message }}
        • Profile picture of the author Istvan Horvath
          Originally Posted by awddude View Post

          More often than not, a free WordPress theme or free plugin that you use is being exploited. This is very common so I seldom use free themes or plugins.
          Sorry, you are completely wrong... and have no idea what are you talking about! (see below)

          Originally Posted by DJL View Post

          2. Perhaps I am wrong, but I believe the themes and plugins listed on WordPress.org, particularly those that have been around for some time and have been reviewed and rated by many users, are safer than the "latest and greatest" that are sold elsewhere.
          No, you are NOT wrong at all! (the dude above you is completely ignorant of facts...) Your experience is shared by many WP users: the safest themes and plugins are the free ones from wp.org!

          While in the "official" plugin and theme repository they do not check the quality of coding - those scripts are screened to make sure they don't contain malicious code.
          Signature

          {{ DiscussionBoard.errors[8275848].message }}
    • Profile picture of the author DJL
      1. The Wordfence plugin has an option I use, to block the IP of any user who generates a failed login attempt for 60 days.
      2. I also use Wordfence's option to whitelist my own IP address, as I am the only legitimate user of the site.
      3. Thanks for the suggestion about hiding the login page. I will look into that, also.
      Originally Posted by JonBird View Post

      Istvan's recommendation "Bad Behavior" is worth trying although it does have mixed reviews.
      Blocking individual IPs is a real pain and they can be changed so easily... so it's as you mentioned.. impractical.

      I have used plugins that limited login attempts and whitelisted certain IPs that worked well. But even with those he/she could still try day after day to hack in.

      So, if the main problem is the multiple login attempts a day by this idiot... then how about hiding the login page? I haven't tried it personally.. but it looks like it would do the job.

      Here's the link to one I found: WordPress Stealth Login Plugin for Custom Login

      I am sure there are others too.

      Hope this helps.
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8275619].message }}
  • Profile picture of the author RobinInTexas
    I use the Wordfence plugin, which I have set to Immediately lock out invalid usernames (and other failed login attempts) by the ip for 60 days after a failed login attempt.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8275248].message }}
  • Profile picture of the author SteveJohnson
    My question is: should I just ignore this idiot, or is there anything I could do to annoy or discomfit him in some way
    I do not have a publicly-facing WordPress site that doesn't get at least 50 login attempts daily. Interestingly, I also have a couple of Drupal-powered sites that also get hit - from the same IPs at about the same time.

    There isn't an 'idiot' to ignore - they're bots and as far as I know, they aren't self-aware so you can't 'annoy' them.

    Just follow good security practices (from what you've outlined, you do) and keep an eye on the sites periodically. That's about all you can do.

    BTW, if you don't know what you're doing when password-protecting the wp-admin directory, don't do it. WordPress's AJAX functionality lives there, so you have to make special provisions, especially if you use a theme that utilizes AJAX for anything.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[8277214].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by SteveJohnson View Post

      BTW, if you don't know what you're doing when password-protecting the wp-admin directory, don't do it. WordPress's AJAX functionality lives there, so you have to make special provisions, especially if you use a theme that utilizes AJAX for anything.
      Good call on that - I completely forgot about it. If you're using something that tries to call back to the wp-admin directory, you'll get a credentials popup box everytime the page loads.
      Signature

      |~| VeeroTech Hosting - sales @ veerotech.net
      |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
      |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
      |~| Visit us @veerotech Facebook - Twitter - LinkedIn

      {{ DiscussionBoard.errors[8277223].message }}
  • Profile picture of the author hcir87
    I know of a product I use and it stops my wordpress website from being hack, and it emails me every time some body try's to hack my website. I purchased this product a while ago this guy teaches how to ban ip address from the website. teaches how to block you admin area while you sleep. I learn how to block brute force attacks. I love this product, if you want to know just send me a request and I'll give you the link to it. I like it so much I promote it also, so if you purchase through my link It will give a commission for me and my family. let me know if you want to know more. I didn't want to promote on Warrior forums, but I saw you guys talking about wordpress security. ok guys have a great day.
    {{ DiscussionBoard.errors[8277377].message }}
    • Profile picture of the author DJL
      Thanks for your offer, but the functionality you describe is already provided by the free version of the Wordfence plugin.
      Originally Posted by hcir87 View Post

      I know of a product I use and it stops my wordpress website from being hack, and it emails me every time some body try's to hack my website. I purchased this product a while ago this guy teaches how to ban ip address from the website. teaches how to block you admin area while you sleep. I learn how to block brute force attacks. I love this product, if you want to know just send me a request and I'll give you the link to it. I like it so much I promote it also, so if you purchase through my link It will give a commission for me and my family. let me know if you want to know more. I didn't want to promote on Warrior forums, but I saw you guys talking about wordpress security. ok guys have a great day.
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8278786].message }}
  • Profile picture of the author RobinInTexas
    I've spend many hours going over hardening WordPress, and I think Wordfence, combined with either Better WP Security or BulletProof Security is more than enough for security.

    Obfuscating the admin user name is a waste of time, providing you use a strong password, 13-15 characters, including at least 1 number, symbol, upper and lower case letter.
    !2dA......... is an example I tried just to test. It would be easy to remember and to type, impossible for an online brute force attack to crack it.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[8278920].message }}
    • Profile picture of the author DJL
      Thanks for your advice. I will look into those other security plugins you mentioned.

      Thanks to TrueCrypt and Password Depot, I only have to remember two passwords, which I can type in my sleep. They are long, strong, and, I believe, impossible to guess.

      Among other things, I also use iolo System Mechanic Pro to protect my PC from malware and viruses, and Oracle VM VirtualBox to access the internet from within a virtual machine.

      Originally Posted by RobinInTexas View Post

      I've spend many hours going over hardening WordPress, and I think Wordfence, combined with either Better WP Security or BulletProof Security is more than enough for security.

      Obfuscating the admin user name is a waste of time, providing you use a strong password, 13-15 characters, including at least 1 number, symbol, upper and lower case letter.
      !2dA......... is an example I tried just to test. It would be easy to remember and to type, impossible for an online brute force attack to crack it.
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[8279008].message }}
  • Profile picture of the author funsouk
    i m using Wordfence plugin
    {{ DiscussionBoard.errors[8291504].message }}
    • Profile picture of the author RobinInTexas
      Originally Posted by funsouk View Post

      i m using Wordfence plugin
      You are getting your post count up even if you are not contributing to the discussion.

      Thanks for your informative post. I thought I was the only one using Wordfence.
      Signature

      Robin



      ...Even if you're on the right track, you'll get run over if you just set there.
      {{ DiscussionBoard.errors[8291830].message }}

Trending Topics