Constant Weekly Hack Attempts

I am using shared hosting and one of my blogs gets regular hack attempts on a weekly basis. I get notifications almost everyday that some jackass is trying to hack into my site and has been locked out.

I am running Wordpress and have the following plugins for security:

Wordfence, Wp-hide my ip.

I also have cloudflare as well.

I set my login attempt to be quite low, and also the lockout period to be several days long, hoping to deter people from attempting to try and get into my site, but it doesn't seem to have stopped them.

I've changed my default admin login URL to a hidden URL yet I am surprised that these people are still able to so easily find out my login page and attempt to hack into my site.

I believe my password is strong as it's quite a large password with various mixed symbols but it's quite annoying to be honest.

I was wondering if there was a way to prevent this from happening in the future?

Use 2FA and if you have a static IP you can whitelist your IP and deny everyone else access to the login page (obviously be careful with this, if your IP does change you'll be editing your MySQL database directly to fix it). Deny multiple attempts of any kind; if they can only try 3 times a day or whatever you set, and your password isn't in an existing word list, there's very little chance they ever get in. If they do, 2FA stops them at that point.

You're not going to stop the attempts, those are bots. Every single WordPress site I've had is almost immediately under attack. I'm actually surprised you're only getting weekly attempts, I usually get multiple attempts every hour.

I get daily attempts on my Wordpress sites and there’s not a lot you can do about them. Just make sure your security is always up to date (Wordfence is a good start) and they shouldn’t be able to get in.

It is not enough to use this in htaccess ? :

<files wp-login.php>
# set up rule order
order deny,allow
# default deny
deny from all
allow from xxx.xxx.xxx.xxx ---> your IP
</files>

What does Wordfence - Live Traffic says?

I constantly received notifications that hackers try to access and modify xmlrpc.php, if I remember correctly, I just deleted it and hack attempts stopped. Also, I have changed wp-login to some random letters. Before making these changes I have received like 100 brute-force attempts every week, now down to zero.

Smeklinis said:

It is not enough to use this in htaccess ? :

<files wp-login.php>
# set up rule order
order deny,allow
# default deny
deny from all
allow from xxx.xxx.xxx.xxx ---> your IP
</files>

Click to expand...

What if you have a dynamic ip address or you travel often?

Same here. Hundreds of hacking attempts every day. Especially from Ukraine, Russia, China and India. I guess all of them are bots, which are scrawling the first page of Google and trying to login with some random passwords.

2FA for the win. Captcha can also work. Block the IPs or whole countries (depending on what countrys you are targeting)

wolf3000 said:

What if you have a dynamic ip address or you travel often?

Click to expand...

You can block all IPs on wp login page, and when you need to login, connect to server and disable this rule for your login for just a second. Browser will remember and stays logged in until you close it.

mntnrk said:

What does Wordfence - Live Traffic says?

I constantly received notifications that hackers try to access and modify xmlrpc.php, if I remember correctly, I just deleted it and hack attempts stopped. Also, I have changed wp-login to some random letters. Before making these changes I have received like 100 brute-force attempts every week, now down to zero.

Click to expand...

It's all mainly bot traffic. Usually if I add in a specific login username that they tried before, the attacks would stop from that specific user until a new hacker shows up.

nakamura said:

Same here. Hundreds of hacking attempts every day. Especially from Ukraine, Russia, China and India. I guess all of them are bots, which are scrawling the first page of Google and trying to login with some random passwords.

2FA for the win. Captcha can also work. Block the IPs or whole countries (depending on what countrys you are targeting)

Click to expand...

Yup, those are the main countries I get attacks from, followed by Romania, and the Netherlands, as well.

With 2FA what happens if you travel or you lose your phone? I got my phone stolen when I was on vacation one time. How would I be able to login back into my site in that case? Also can you block a whole country without subscribing to wordfence premium?

Smeklinis said:

You can block all IPs on wp login page, and when you need to login, connect to server and disable this rule for your login for just a second. Browser will remember and stays logged in until you close it.

Click to expand...

Is this something that I need to do on cpanel? I don't really know how to do this. I currently only whitelist my ip address on wordfence.

wolf3000 said:

What if you have a dynamic ip address or you travel often?

Click to expand...

You can whitelist a range, or use a VPN with a static address.

You can also use .htaccess to password protect the page, but then you're basically just moving the problem in hopes that the bot gives up.

.htaccess file would have
AuthType Basic
AuthName "Protected Area"
AuthUserFile /homepages/xx/xxxxxxxxx/htdocs/[Ordner]/wp-admin/.htpasswd
require user [Username]

.htpasswd file would have
[Username]:[EncryptedPasswort]
You can easily generate the encrypted password yourself online. Enter the search term ".htpasswd generator" into a search engine

[edit: With 2FA what happens if you travel or you lose your phone?

Well you lost the phone, not the phone number. You'd usually have SMS as a backup. And if everything else fails, during the setup process you get a list of master passwords to use if this happens. Keep that in a safe somewhere and you can use that master list to gain access again to change/update the phone. If you're real worried this happens while traveling, take the master password and circle letters in a book or something so you can find the password; or memorize one of the backups, or send the backup SMS to a Google voice number that forwards to your phone. Yeah, you won't have the phone, but you can get to Google voice and intercept from any computer.]