WordPress Users, Secure yourselves!


tekiegreg

Recommended Posts

Getting sick of hackers getting at your WordPress blog?  Want the HawkHost support staff to enjoy speaking with you instead of a *sigh* and an "oh you again, who hacked you now?"  get this!

 

http://bit51.com/better-wp-security-3-4-9/

 

Installed this plugin, and it walked me through tons of basic stuff in securing my site.  Give the plugin owners a few dollars too. 

 

</shamelessplug>

Link to comment
Share on other sites

I'm running it, so far no complaints (other than having to remember my new admin url and username).  It's donation-ware, in that he asks for no money to run it, but if you like a few bucks are appreciated.

 

Has anyone tried to give this a run yet? The site also does not say if this plugin is free or paid. 

Link to comment
Share on other sites

I've used Better WP Security plugin for more than a year.  It does its job, and does it well.

 

It's important to use a security plugin.  If you look closely at traffic, attempts to break in are common.  More common on some sites than others, for reasons unknown to me.

 

We have regular attempts to crack our "admin" password using a wordlist.  Because of a compatibility issue between two plugins, I handle those with the "Limit Logon Attempts" plugin, but Better WP Security will do the same thing.

 

For example, we've had a distributed attack on our admin password today.  There have been more than 1,000 guesses so far, originating from a botnet with computers in places like Turkey, Phillipines, Japan, Indonesia, etc.  (Geographic comments based on my spot checking some IP addresses.  I didn't look them all up.)  Since I have the logon limiting plugin set to block the IP after only a few failures, the plugin is blocking their botnet IP by IP. 

 

We had a similar attack yesterday, beginning around 7 am and fading away in a few hours.  It started earlier today and lasted longer, but faded out by afternoon.  Although the attack today lasted longer, it was just as ineffectual.

 

Better WP Security does a good job of guiding you through ways to protect your WordPress site.  I use it on each of the three WordPress sites I manage.

Link to comment
Share on other sites

Interesting on my end, for the record my blog isn't very popoular (maybe 1,000 hits/month).  When you look through the bad logins, other than an occasional "Whoops" by me I only see the occasional other string of 5-6 bad logins by a single address and that's it.  I take it that's some kiddie looking for an easy score trying default passwords.

Link to comment
Share on other sites

tekiegreg are you using Cloudflare by any chance? I know they do a lot of automatic filtering for known malicious IPs/hosts so that may explain it.

 

That said we are constantly seeing attempts at people trying to bruteforce wp-admin logins. We block what we can but it is still important to have strong (10 character minimum, alphanumeric with symbols, unique) passwords and make sure your software is up to date. I can't even begin to explain how much of my day is taken up by helping customers who were compromised either due to a bruteforced password or running outdated WP versions. Sadly we still have folks running the 2.9.X branch :unsure:

Link to comment
Share on other sites

Never did sign up for CloudFlare, note to self, research and maybe implement. 

 

Well now, not only is my password super tight, but you'd have to guess my new wp-admin url and my new admin username as well.  Makes it all that much harder...

 

 

tekiegreg are you using Cloudflare by any chance? I know they do a lot of automatic filtering for known malicious IPs/hosts so that may explain it.

 

That said we are constantly seeing attempts at people trying to bruteforce wp-admin logins. We block what we can but it is still important to have strong (10 character minimum, alphanumeric with symbols, unique) passwords and make sure your software is up to date. I can't even begin to explain how much of my day is taken up by helping customers who were compromised either due to a bruteforced password or running outdated WP versions. Sadly we still have folks running the 2.9.X branch :unsure:

Link to comment
Share on other sites

  • 9 months later...
  • 4 weeks later...
  • 3 weeks later...
  • 2 months later...
  • 2 years later...
  • 2 weeks later...
  • 2 years later...

I'm going to bring this zombie thread back up to the top, with one of the more popular sites I have here at Hawkhost, I've not only noticed an increase in the amount of hack attempts on our site, but the sophistication level as well.  Password brute force attempts seem more systematic, using data that they'd have to glean from elsewhere about our organization, suggesting that humans are behind this stuff now too, not just mere bots.  For example users personal data has been found in password attempts, that would not have been anywhere on the site.  When quizzed, targeted end users weren't involved/had no idea where bad guys would have got this data.

Wordpress now has pro plugins that allow for 2 factor authentication.  I'd say this is a good investment at this time.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...