Need Security Advice for a Local Business

I have a friend who owns a multiple businesses in a single niche in a major city in the US. Well, he has this on-going problem about non-US traffic coming in his site by the thousands as well as thousands of failed login attempts per day in his sites. I know this is from his competitor as I have been helping him in SEO and I noticed some links were made from web properties owned by his competition and the links had ADULT anchor texts (negative SEO).

To make the long story short, his site is constantly having problem due to hacks, errors, script changes and all sorts of these stuff. Right now, the only ones who know the website password is him and his bro in law as compared to before but still these attacks are coming in and some are successful.

He has cloudflare already setup. His hosting is GoDaddy. What else do you guys recommend in protecting his site?

And he had just achieved top 3 rankings both organic and local packs for hundreds of keywords so we are pretty sure these attacks will keep on coming, if not, even get stronger.

Thanks guys!

Maybe a secure access to the login page with the .htaccess ? Similar to the plugins that help you secure your wordpress login.

Errors, script changes and all sorts of these stuff - if it's a wp site, the iThemes Security plugin will help with these. It will patch up some of the many security liabilities in WP.

Hacks - the same plugin will log each failed login attempt and temporarily IP ban offenders. You can then review the log and make bans permanent.

Negative SEO - fill Google disavow forms to disavow the adult links.

Use firewall to block out complete IP ranges may be whole country.

First of all,request your hosting provider(Cloudflare) to give you DDOS protection,if you don't have one.Their Free security is good for stopping small kind of attacks.But when you need more protection in future ,look into providers like KoDDos( http://www.koddos.com/ ) OR Vistnet( http://www.vistnet.com/ ) . When you feel like to take the final step of applying a security guard for your site ,Check out Sitelock ( https://www.sitelock.com/ ).Blocking IP is not viable since,attacker might be using spoofed IPs and it can generate false positives and block some of your legitimate users also.

ps: i am no way connected to any of these sites.I am just making your search easier.Thanks

It sounds like your friend is doing very well in regards to his business. However, it sounds like this is something that should be the responsibility of his Webmaster. The best thing to do would be to get his Webmaster to fix any coding errors on the website which are causing vulnerabilities.

Simple eh? Well... so... if you say he doesn't have a Webmaster. Then... I'm assuming he built the website himself, probably using something like Wordpress, and part of using Wordpress is that there's always going to be vulnerabilities. If that's the case, and his business is generating money/success, maybe it's time to put a little bit of money into a custom built website.

Otherwise it's not the end of the world. You could follow some of the suggestions here about DDOS protection. Using .htaccess you can block out IPs from other countries. Do some coding on the site to automatically block IP addresses after so many failed attempts (or something that makes it look obvious that they're a bot or something). I'm sure a lot of these are also a part of Wordpress plugins so you don't have to do them manually.

You could also setup your login page so that only your IP address has access to it. Like only whitelisted IP addresses can access the login.

Some tricks we used to use back in the day with Wordpress are:
1 Adding an additional login screen to your login page using .htaccess password protection and make sure all the passwords are impossible to guess by a brute for attack. Don't use the default "admin" username!

2. Rename login pages to something unique, or even somewheres unique.

3. Rename your database tables prefix away from the default "wp_". Atleast then if they do find any vulnerabilities that have to do with SQL, they won't be finding the proper database tables.

4. Move the entire website into a subdirectory. Like for example, move all the files except .htaccess and index.php into a folder called "site". Update the index.php to reference to that "site" folder. The website will look and work the exact same, except it's going to be confusing for bots and people that try to snoop your website. With this setup it looks like your website is installed in the root, and it is sort of. Your index.php is going to be "including/requiring" files from the "site" folder. Bots and people snooping around are going to be expecting a URL structure like domain.com/wp-login or /wp-admin,/wp-content/,/wp-includes, etc. But in reality they have to go to domain.com/site/<folder/file name>.

Bare in mind, you would also have to do a quick tweak inside the database. The sky is the limit if you know programming and how Wordpress functions. If you know what you are doing you can change around other folder structures too and rename them.

Anyways, I hope this help!

Hi, you can try Swift Security. With this new plugin you can hide the fact that you are using wordpress. You can also hide the theme, plugin name. It has built-in firewall, code scanner, etc. Only $19 with amazing support and lifetime updates. Read more at swiftsecurity.swte.ch

u should use physical devices to restrict the unwanted traffic.......