1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need Security Advice for a Local Business

Discussion in 'Blogging' started by veheme, Feb 21, 2015.

  1. veheme

    veheme Elite Member

    Joined:
    Jan 18, 2012
    Messages:
    3,341
    Likes Received:
    1,060
    I have a friend who owns a multiple businesses in a single niche in a major city in the US. Well, he has this on-going problem about non-US traffic coming in his site by the thousands as well as thousands of failed login attempts per day in his sites. I know this is from his competitor as I have been helping him in SEO and I noticed some links were made from web properties owned by his competition and the links had ADULT anchor texts (negative SEO).

    To make the long story short, his site is constantly having problem due to hacks, errors, script changes and all sorts of these stuff. Right now, the only ones who know the website password is him and his bro in law as compared to before but still these attacks are coming in and some are successful.

    He has cloudflare already setup. His hosting is GoDaddy. What else do you guys recommend in protecting his site?

    And he had just achieved top 3 rankings both organic and local packs for hundreds of keywords so we are pretty sure these attacks will keep on coming, if not, even get stronger.

    Thanks guys!
     
  2. guillaumemcom

    guillaumemcom Registered Member

    Joined:
    Jan 16, 2015
    Messages:
    86
    Likes Received:
    70
    Maybe a secure access to the login page with the .htaccess ? Similar to the plugins that help you secure your wordpress login.
     
  3. chickensalad

    chickensalad Registered Member

    Joined:
    Jun 11, 2014
    Messages:
    89
    Likes Received:
    24
    Location:
    UK
    Errors, script changes and all sorts of these stuff - if it's a wp site, the iThemes Security plugin will help with these. It will patch up some of the many security liabilities in WP.

    Hacks - the same plugin will log each failed login attempt and temporarily IP ban offenders. You can then review the log and make bans permanent.

    Negative SEO - fill Google disavow forms to disavow the adult links.
     
  4. allaccountssale

    allaccountssale BANNED BANNED

    Joined:
    Feb 22, 2015
    Messages:
    15
    Likes Received:
    0
    Use firewall to block out complete IP ranges may be whole country.
     
  5. kbklash

    kbklash Senior Member

    Joined:
    Jun 2, 2012
    Messages:
    1,140
    Likes Received:
    449
    Location:
    in my BMW to my BHW
    Home Page:
    First of all,request your hosting provider(Cloudflare) to give you DDOS protection,if you don't have one.Their Free security is good for stopping small kind of attacks.But when you need more protection in future ,look into providers like KoDDos( http://www.koddos.com/ ) OR Vistnet( http://www.vistnet.com/ ) . When you feel like to take the final step of applying a security guard for your site ,Check out Sitelock ( https://www.sitelock.com/ ).Blocking IP is not viable since,attacker might be using spoofed IPs and it can generate false positives and block some of your legitimate users also.

    ps: i am no way connected to any of these sites.I am just making your search easier.Thanks
     
  6. TimothyEyton

    TimothyEyton Junior Member

    Joined:
    Dec 30, 2013
    Messages:
    129
    Likes Received:
    63
    It sounds like your friend is doing very well in regards to his business. However, it sounds like this is something that should be the responsibility of his Webmaster. The best thing to do would be to get his Webmaster to fix any coding errors on the website which are causing vulnerabilities.

    Simple eh? :p Well... so... if you say he doesn't have a Webmaster. Then... I'm assuming he built the website himself, probably using something like Wordpress, and part of using Wordpress is that there's always going to be vulnerabilities. If that's the case, and his business is generating money/success, maybe it's time to put a little bit of money into a custom built website.

    Otherwise it's not the end of the world. You could follow some of the suggestions here about DDOS protection. Using .htaccess you can block out IPs from other countries. Do some coding on the site to automatically block IP addresses after so many failed attempts (or something that makes it look obvious that they're a bot or something). I'm sure a lot of these are also a part of Wordpress plugins so you don't have to do them manually.

    You could also setup your login page so that only your IP address has access to it. Like only whitelisted IP addresses can access the login.

    Some tricks we used to use back in the day with Wordpress are:
    1 Adding an additional login screen to your login page using .htaccess password protection and make sure all the passwords are impossible to guess by a brute for attack. Don't use the default "admin" username!

    2. Rename login pages to something unique, or even somewheres unique.

    3. Rename your database tables prefix away from the default "wp_". Atleast then if they do find any vulnerabilities that have to do with SQL, they won't be finding the proper database tables.

    4. Move the entire website into a subdirectory. Like for example, move all the files except .htaccess and index.php into a folder called "site". Update the index.php to reference to that "site" folder. The website will look and work the exact same, except it's going to be confusing for bots and people that try to snoop your website. With this setup it looks like your website is installed in the root, and it is sort of. Your index.php is going to be "including/requiring" files from the "site" folder. Bots and people snooping around are going to be expecting a URL structure like domain.com/wp-login or /wp-admin,/wp-content/,/wp-includes, etc. But in reality they have to go to domain.com/site/<folder/file name>.

    Bare in mind, you would also have to do a quick tweak inside the database. The sky is the limit if you know programming and how Wordpress functions. If you know what you are doing you can change around other folder structures too and rename them.

    Anyways, I hope this help!
     
    Last edited: Feb 26, 2015
  7. teamswte

    teamswte Newbie

    Joined:
    Mar 4, 2015
    Messages:
    1
    Likes Received:
    0
    Hi, you can try Swift Security. With this new plugin you can hide the fact that you are using wordpress. You can also hide the theme, plugin name. It has built-in firewall, code scanner, etc. Only $19 with amazing support and lifetime updates. Read more at swiftsecurity.swte.ch
     
  8. saltedweb

    saltedweb Junior Member

    Joined:
    Aug 9, 2014
    Messages:
    118
    Likes Received:
    2
    u should use physical devices to restrict the unwanted traffic.......