Constant Weekly Hack Attempts

wolf3000

Junior Member
Joined
Aug 8, 2019
Messages
135
Reaction score
49
I am using shared hosting and one of my blogs gets regular hack attempts on a weekly basis. I get notifications almost everyday that some jackass is trying to hack into my site and has been locked out.

I am running Wordpress and have the following plugins for security:

Wordfence, Wp-hide my ip.

I also have cloudflare as well.

I set my login attempt to be quite low, and also the lockout period to be several days long, hoping to deter people from attempting to try and get into my site, but it doesn't seem to have stopped them.

I've changed my default admin login URL to a hidden URL yet I am surprised that these people are still able to so easily find out my login page and attempt to hack into my site.

I believe my password is strong as it's quite a large password with various mixed symbols but it's quite annoying to be honest.

I was wondering if there was a way to prevent this from happening in the future?
 
Last edited:

SirSmash

Junior Member
Joined
May 25, 2014
Messages
198
Reaction score
165
Use 2FA and if you have a static IP you can whitelist your IP and deny everyone else access to the login page (obviously be careful with this, if your IP does change you'll be editing your MySQL database directly to fix it). Deny multiple attempts of any kind; if they can only try 3 times a day or whatever you set, and your password isn't in an existing word list, there's very little chance they ever get in. If they do, 2FA stops them at that point.

You're not going to stop the attempts, those are bots. Every single WordPress site I've had is almost immediately under attack. I'm actually surprised you're only getting weekly attempts, I usually get multiple attempts every hour.
 

Content Power

Regular Member
Joined
Jan 4, 2019
Messages
280
Reaction score
114
Website
link-hero.net
I get daily attempts on my Wordpress sites and there’s not a lot you can do about them. Just make sure your security is always up to date (Wordfence is a good start) and they shouldn’t be able to get in.
 

Turbo B.

Jr. VIP
Jr. VIP
Joined
May 24, 2015
Messages
2,254
Reaction score
1,237
It is not enough to use this in htaccess ? :

<files wp-login.php>
# set up rule order
order deny,allow
# default deny
deny from all
allow from xxx.xxx.xxx.xxx ---> your IP
</files>
 

mntnrk

Junior Member
Joined
Mar 13, 2019
Messages
108
Reaction score
45
Website
cleanproxy.io
What does Wordfence - Live Traffic says?

I constantly received notifications that hackers try to access and modify xmlrpc.php, if I remember correctly, I just deleted it and hack attempts stopped. Also, I have changed wp-login to some random letters. Before making these changes I have received like 100 brute-force attempts every week, now down to zero.
 
Last edited:

wolf3000

Junior Member
Joined
Aug 8, 2019
Messages
135
Reaction score
49
It is not enough to use this in htaccess ? :

<files wp-login.php>
# set up rule order
order deny,allow
# default deny
deny from all
allow from xxx.xxx.xxx.xxx ---> your IP
</files>

What if you have a dynamic ip address or you travel often?
 

nakamura

Jr. VIP
Jr. VIP
Joined
Mar 22, 2013
Messages
4,542
Reaction score
7,732
Website
germanwriters.com
Same here. Hundreds of hacking attempts every day. Especially from Ukraine, Russia, China and India. I guess all of them are bots, which are scrawling the first page of Google and trying to login with some random passwords.

2FA for the win. Captcha can also work. Block the IPs or whole countries (depending on what countrys you are targeting)
 

Turbo B.

Jr. VIP
Jr. VIP
Joined
May 24, 2015
Messages
2,254
Reaction score
1,237
What if you have a dynamic ip address or you travel often?

You can block all IPs on wp login page, and when you need to login, connect to server and disable this rule for your login for just a second. Browser will remember and stays logged in until you close it.
 

wolf3000

Junior Member
Joined
Aug 8, 2019
Messages
135
Reaction score
49
What does Wordfence - Live Traffic says?

I constantly received notifications that hackers try to access and modify xmlrpc.php, if I remember correctly, I just deleted it and hack attempts stopped. Also, I have changed wp-login to some random letters. Before making these changes I have received like 100 brute-force attempts every week, now down to zero.

It's all mainly bot traffic. Usually if I add in a specific login username that they tried before, the attacks would stop from that specific user until a new hacker shows up.

Same here. Hundreds of hacking attempts every day. Especially from Ukraine, Russia, China and India. I guess all of them are bots, which are scrawling the first page of Google and trying to login with some random passwords.

2FA for the win. Captcha can also work. Block the IPs or whole countries (depending on what countrys you are targeting)

Yup, those are the main countries I get attacks from, followed by Romania, and the Netherlands, as well.

With 2FA what happens if you travel or you lose your phone? I got my phone stolen when I was on vacation one time. How would I be able to login back into my site in that case? Also can you block a whole country without subscribing to wordfence premium?

You can block all IPs on wp login page, and when you need to login, connect to server and disable this rule for your login for just a second. Browser will remember and stays logged in until you close it.

Is this something that I need to do on cpanel? I don't really know how to do this. I currently only whitelist my ip address on wordfence.
 

SirSmash

Junior Member
Joined
May 25, 2014
Messages
198
Reaction score
165
What if you have a dynamic ip address or you travel often?
You can whitelist a range, or use a VPN with a static address.

You can also use .htaccess to password protect the page, but then you're basically just moving the problem in hopes that the bot gives up.

.htaccess file would have
AuthType Basic
AuthName "Protected Area"
AuthUserFile /homepages/xx/xxxxxxxxx/htdocs/[Ordner]/wp-admin/.htpasswd
require user [Username]

.htpasswd file would have
[Username]:[EncryptedPasswort]
You can easily generate the encrypted password yourself online. Enter the search term ".htpasswd generator" into a search engine

[edit: With 2FA what happens if you travel or you lose your phone?

Well you lost the phone, not the phone number. You'd usually have SMS as a backup. And if everything else fails, during the setup process you get a list of master passwords to use if this happens. Keep that in a safe somewhere and you can use that master list to gain access again to change/update the phone. If you're real worried this happens while traveling, take the master password and circle letters in a book or something so you can find the password; or memorize one of the backups, or send the backup SMS to a Google voice number that forwards to your phone. Yeah, you won't have the phone, but you can get to Google voice and intercept from any computer.]
 
Last edited:
Top