Hello,
I have a multisite network that is always getting attacked with a loggin attack.
I always use a plugin called 'Activity Monitor' which allows me to keep an eye on the IP where the attack is coming from and which user/password is being used.
I do this on all my wordpress sites and in conjunction with this I use a plugin called 'Limit Login Attempts' which diffuses the problem well and blocks the hackers by IP.
But I am being faced with a hack that I have not seen before. This hack has some how acquired my admin <strong>user_nicename</strong> - not they actual username, can they access my site with the <strong>user_nicename</strong>?
My admin user name is not administrator, it is my email. And the user_nicename is the same but has replaced all special characters with a hyphen.
For example...
[email protected] converts to josh-myemail-co-uk for the user_nicename
So anyway this hacker has got my nice name. And when I set this up I forgot to set up my custom SALT keys in the config. I have changed this now but by not doing this have I opened myself to attack?
Anyway how to you stop a attack like this... [[LINK href="http://imgur.com/ij3Hqjw"]]http://imgur.com/ij3Hqjw[[/LINK]]
I've blocked out my site name and user_nicename but you can see there trying to hack it every hour, and the ip address is completely different everytime, so there is no way in blocking this ass hole.
And I am slightly concerned they have acquired my user_nicename, how is this possible? Should I be worrying if my some has access to my mysql or my admin.
Any friendly advice would be great.
Thanks
Josh
Sabby Sam answers:
Hi,
Many people try to hack wordpress admin panel but we need to make it more secure as we can.
Try the following things.
1. Install wp security ( http://wordpress.org/plugins/better-wp-security/ )
See the list of feature it will secure your website ( 70 to 80 %)
-----------------------------------------------------------
The following point are best to to secure your website.
Hide the WP version in my HTML
Remove readme.html
Hide login error messages
IP blocking*
Use a different prefix for your DB
Move wp-config.php*
.htaccess protect wp-config.php
Lock file permissions
Prevent plugins from writing to wp-config.php and .htaccess
Prevent folder content browsing (for images mostly, but also plugins)
Use strong passwords for WP/FTP/SQL accounts
Use one-time passwords for WP/SQL/FTP/SSH accounts
http://themefantasy.com/top-10-wordpress-security-tips/
once you change your admin login area with http:/url/wp-admin to
http://url/myxyzlogin no one will try this.
Josh Cranwell comments:
Thanks for all your following points...
Hide the WP version in my HTML
- Done
Remove readme.html
- Done
Hide login error messages
- how do you do this? I will look into it
IP blocking*
- Do you mean in the htaccess - got to to many ips to block and need to too ips to have access
Use a different prefix for your DB
- Done originally
Move wp-config.php*
- Won't this break the site?
.htaccess protect wp-config.php
- Will look into this, do you one online I can look at?
Lock file permissions
- I don't think I have server privileges to do this.
Prevent plugins from writing to wp-config.php and .htaccess
- again not sure about this one
Prevent folder content browsing (for images mostly, but also plugins)
- again not sure about this one
Use strong passwords for WP/FTP/SQL accounts
- Always
Use one-time passwords for WP/SQL/FTP/SSH accounts
- Not sure what one time means?
Thanks for these.
Sabby Sam comments:
Install the wp security plugin, you will have all options.
1.Hide login error messages ( it's present in the wp security plugin setting )
2. IP blocking* ( It's available in wp security plugin)
3.Move wp-config.php*
- Won't this break the site?
.htaccess protect wp-config.php
- Will look into this, do you one online I can look at?
Lock file permissions
- I don't think I have server privileges to do this.
Prevent plugins from writing to wp-config.php and .htaccess
- again not sure about this one
Prevent folder content browsing (for images mostly, but also plugins)
- again not sure about this one
Use strong passwords for WP/FTP/SQL accounts
have look into this plugin,
http://wordpress.org/plugins/better-wp-security/screenshots/
Sabby Sam comments:
have a look into this article about wp config outside loop
http://wordpress.stackexchange.com/questions/58391/is-moving-wp-config-outside-the-web-root-really-beneficial
and also this one
http://core.trac.wordpress.org/ticket/1038
IF you use better wp security plugin and hosting such as Bluehost or hostgator then you don't have to be worried about hackers. We are 80% responsibility to secure our site as much as we can and rest of things depend upon the hosting.
Giri answers:
1) That guy actually trying to crack your password using bot. So use highly secure password. Use mixed alphanumeric characters, number and definitely symbols in your password.
2) Install wordfene plugin. It will email you if it found any changes in your code.. http://wordpress.org/plugins/wordfence/
3) If possible create a different admin account. Change your role of your old admin account to author. Don't publish any content using your admin account
4) And definitely not use the username "admin"
Thats all i have :)
Josh Cranwell comments:
Thanks Giri
1. I have done this
2. I tried this plugin last night but I cannot get the scan button to work. Which is sooo annoying. Can't figure out why it is not working.
3. I've created a new super admin administrator - but I can't delete the old one. Hmmm any ideas?
4. Got that
Giri comments:
To delete old account..
-> Login using your NEW admin account -> Users -> All users -> delete it from there.
Again I highly recommend you to create a new author account and assign the posts to that author while deleting your old account.
I'm not sure why wordfence not working in your site. But believe it or not, thats one of the best wp security plugin I came across. Thats why everyone gives 5 star rating to that plugin. So try to make it work in your site
Giri comments:
And by the way mark maunder is the author of wordfence plugin. He has written a great article about how he could hack into your website.
Read this one
http://markmaunder.com/2011/12/08/wordpress-security-ways-hack-wordpress-site/
Hariprasad Vijayan answers:
Hello,
Use the following plugin,
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Check everything mentioned in the plugin. It helps you to overcome the situation.
Hariprasad Vijayan comments:
Also check your server whether the hackers have uploaded any files in the server. Change your database, FTP credentials. Limit your file access permission.
Good luck.
Josh Cranwell comments:
I've done all this thanks
Limit your file access permission... I've checked all my permissions and they are good.
Hariprasad Vijayan comments:
Hope you solved the issues. Or still in trouble?
Josh Cranwell comments:
Well I've used the WP Security which seems to be the best one I've used so far for general checks and blocks logins with a firewall. The problem with this is that the plugin is not optimised for multisite as it does not have the settings in the network panel which means you need to set the settings for each site.
And I'm in the green with the meter.
I seem to safe it's just I would rather delete my old admin user. But you can't, do you think I should just change the admin it in the database users and user_meta table?
Hariprasad Vijayan comments:
Hi,
I think no need of deleting old admin user. You can change wp-admin url using that plugin. So the hackers can't adopt brute force attack to hack your website. Better change your wordpress admin credentials to ensure our security.
Good luck
Hariprasad Vijayan comments:
Hi,
I think no need of deleting old admin user. You can change wp-admin url using that plugin. So the hackers can't adopt brute force attack to hack your website. Better change your wordpress admin credentials to ensure our security.
Good luck
MDan answers:
Hello Josh,
Additionaly follow this steps:
Also make a backup first, for safe keeping.
1. Install and activate this plugin:
http://wordpress.org/plugins/bulletproof-security/
For support reffer to:
http://wordpress.org/support/plugin/bulletproof-security
2. Activate CloudFlare
See this:http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br
They have also a free plan you can use and the protection is automatic.
3. Edit your htaccess file like so:
Put this at the top in your htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
<files>
order deny,allow
deny from all
allow from <insert your ip here>
</files>
More .htaccess security measure you can find here:
http://thematosoup.com/tips/wordpress-security-htaccess/
Josh Cranwell comments:
Thanks Dan.
Does this <files wp-config.php> .htaccess have to be have to be in the same directory as the wp-config?
I have my intall in a sub folder.
I will try this security plugin and check out cloudflare. I will let you know how I get on.
Luis Abarca answers:
Remember to move your wp-config.php in a parent folder of the public folder, also install a plugin like [[LINK href="http://wordpress.org/plugins/login-lockdown/"]]http://wordpress.org/plugins/login-lockdown/[[/LINK]] or Wordfence to limit the attempts to crack your password.
Try to add a pasword for /wp-admin section with an .htaccess file and make you password longer with alphanumeric characters and special symbols.
The best way to keep WordPress secure is with a custom installation, i always move wp-config.php outside the public folder and move wp-content to another location, you can add an htaccess file to turn of PHP execution on that folder.
Josh Cranwell comments:
Hi Luis,
Sorry I did not get back to on last question.
Are you able to share a zipped example of how you do this?
Private message me a link. I can't get my head round exactly what you mean, it sounds good but just not sure as my site is a network site running live and don't wana mess it up.
Thanks
Josh
Josh Cranwell comments:
Hi Luis,
Sorry I did not get back to on last question.
Are you able to share a zipped example of how you do this?
Private message me a link. I can't get my head round exactly what you mean, it sounds good but just not sure as my site is a network site running live and don't wana mess it up.
Thanks
Josh
Navjot Singh answers:
Since its trying to login repeatedly, one way is to allow only yourself to login. If you have a connection with a static ip then add the following code to your .htaccess file
<Files wp-login.php>
order deny,allow
deny from all
allow from 11.11.111.111 (your IP)
</Files>
If you don't have a static ip, you can add an additional password protection on the admin directory. Check [[LINK href="http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/"]]this post[[/LINK]] for how to do that.
Alternatively you can signup for [[LINK href="https://www.cloudflare.com/plans"]]Cloudfare's free account[[/LINK]] which provides ample protection against brute force attacks like these.
Rest from what I have read, you have added the salt, changed your admin account. This should do good in combination with Limit Login Attempts plugin.
As an additional tip, always use SSH or SFTP to connect to your hosting's ftp account. Don't use simple FTP. Also change your hosting's passwords just for an extra measure. And stay alert.