tekiegreg

WordPress Users, Secure yourselves!

Recommended Posts

Getting sick of hackers getting at your WordPress blog?  Want the HawkHost support staff to enjoy speaking with you instead of a *sigh* and an "oh you again, who hacked you now?"  get this!

 

http://bit51.com/better-wp-security-3-4-9/

 

Installed this plugin, and it walked me through tons of basic stuff in securing my site.  Give the plugin owners a few dollars too. 

 

</shamelessplug>

Share this post


Link to post
Share on other sites

I'm running it, so far no complaints (other than having to remember my new admin url and username).  It's donation-ware, in that he asks for no money to run it, but if you like a few bucks are appreciated.

 

Has anyone tried to give this a run yet? The site also does not say if this plugin is free or paid. 

Share this post


Link to post
Share on other sites

I've used Better WP Security plugin for more than a year.  It does its job, and does it well.

 

It's important to use a security plugin.  If you look closely at traffic, attempts to break in are common.  More common on some sites than others, for reasons unknown to me.

 

We have regular attempts to crack our "admin" password using a wordlist.  Because of a compatibility issue between two plugins, I handle those with the "Limit Logon Attempts" plugin, but Better WP Security will do the same thing.

 

For example, we've had a distributed attack on our admin password today.  There have been more than 1,000 guesses so far, originating from a botnet with computers in places like Turkey, Phillipines, Japan, Indonesia, etc.  (Geographic comments based on my spot checking some IP addresses.  I didn't look them all up.)  Since I have the logon limiting plugin set to block the IP after only a few failures, the plugin is blocking their botnet IP by IP. 

 

We had a similar attack yesterday, beginning around 7 am and fading away in a few hours.  It started earlier today and lasted longer, but faded out by afternoon.  Although the attack today lasted longer, it was just as ineffectual.

 

Better WP Security does a good job of guiding you through ways to protect your WordPress site.  I use it on each of the three WordPress sites I manage.

Share this post


Link to post
Share on other sites

Interesting on my end, for the record my blog isn't very popoular (maybe 1,000 hits/month).  When you look through the bad logins, other than an occasional "Whoops" by me I only see the occasional other string of 5-6 bad logins by a single address and that's it.  I take it that's some kiddie looking for an easy score trying default passwords.

Share this post


Link to post
Share on other sites

tekiegreg are you using Cloudflare by any chance? I know they do a lot of automatic filtering for known malicious IPs/hosts so that may explain it.

 

That said we are constantly seeing attempts at people trying to bruteforce wp-admin logins. We block what we can but it is still important to have strong (10 character minimum, alphanumeric with symbols, unique) passwords and make sure your software is up to date. I can't even begin to explain how much of my day is taken up by helping customers who were compromised either due to a bruteforced password or running outdated WP versions. Sadly we still have folks running the 2.9.X branch :unsure:

Share this post


Link to post
Share on other sites

Never did sign up for CloudFlare, note to self, research and maybe implement. 

 

Well now, not only is my password super tight, but you'd have to guess my new wp-admin url and my new admin username as well.  Makes it all that much harder...

 

 

tekiegreg are you using Cloudflare by any chance? I know they do a lot of automatic filtering for known malicious IPs/hosts so that may explain it.

 

That said we are constantly seeing attempts at people trying to bruteforce wp-admin logins. We block what we can but it is still important to have strong (10 character minimum, alphanumeric with symbols, unique) passwords and make sure your software is up to date. I can't even begin to explain how much of my day is taken up by helping customers who were compromised either due to a bruteforced password or running outdated WP versions. Sadly we still have folks running the 2.9.X branch :unsure:

Share this post


Link to post
Share on other sites

is a plugin really necessary for making my wordpress site secure? I couldn't tell you if anyone has tried to hack me yet but I know I get spam comments a lot on posts...which has led me to turning comments off...I'm also wary of adding too many plugins

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now