I recieved an email to say an attempted log in had been made on one of my wordpress blogs. It was obviously a hack attempt as I have not used this blog for a while. I have it sorted now but im wondering if there is a security thing I can use that updates my plugins and themes automatically. I have a security plugin on it but when I went to the blog it said it needed updated and I believe it is when a plugin needs updated that hackers can get in. But i have over 200 blogs and it can be very time consuming to keep checking them all for updates all the time.
It's the other way round, someone finds an exploit in a plugin so they update it. You can get plugins that allows you to manage all your blogs from one blog. I'm not sure what the best one is, that's something you'll have to figure out and let us know when you do.
Yes keep all your security plugins upto date, but sometimes people may also try logging into your website by trying out different passwords.
You can avoid a brute force attack by using passwords like N(C#@4 &m"715jT from https://strongpasswordgenerator.com/ The amount of computing power it would take to crack that password makes it not worth trying.
If you are worried, you can always install a wordpress plugin called "login lockdown". This will prevent any brute force attempts.
This doesn't seem like a plugin exploit as your notification was an attempted login alert. I am assuming wordpress has some type of notification setting when a login is attempted. There are numerous ways you can help circumvent an attack depending on your programming knowledge and how active you are ->Change the login directory ->Change the default admin login name from "admin" or "steve" to something as complicated as the password ->use a 20+ character password with letters,numbers,characters etc ->completely remove the "login" folder from your server and only upload it when you are using it ->block comment out the select sql statement on the login page until you are ready to use it These are just a few examples. I don't use wordpress but I use many of these practices on logins I use for websites I maintain. The more popular the site the more security I use.
I found that one my wordpress site was hacked and a payday link was added in there and I was wondering why the website isnt ranking. I actually saw that link the google cache. Right from that point I have added the security plugin - iThemes Security. Has lot of options like changing admin id , wp-content folder and quite many options like HerpDerp has said. You could do that with that plugin. Do give it a try
contact your hosting support and say them run scan there will bi detect a file delete if its not work open ur hosting go to content folder of WP check all file names u will find a 2 files name r just like same same one original other will hacker file just small coding means 3 or 4 line coding change the name of file butt dont delete its will harm ur DB
HerpDerpSlerp (great name by the way) is the comment you should listen to. Here's an example of what he or she is talking about: Site name: BuyExamples.com Admin Login: GoshDarnItDoILoveToDanceInRain Password: IsntItPrettyAwesomeWhenPeopleGoPlayOutside&YesItIs ^that would take a computer a MASSIVE amount of time to find. You can also rename the /wp-admin/ folder or remove it until use (that requires FTPing/SSHing into your sever). But web spiders can find any of your obfuscations. Download WordFence Security. For more read:
First step you should do: Password protect /wp-admin/ directory This way you will prevent multiple login attempts from bots and so on.
I use wordfence for this. You can set the number of failed login attempts to, let's say 1. If a hacker tries to login and the login is false, then the hacker would be blocked for a specific amount of time. This way it will become very hard for the hacker to brute-force the user name and password. But in the first place: change the standard admin and choose a hard-to-guess password.
Login lockdown and bulletproof security does the trick for me. It also helps to rename the tables something different to wp_ and change the url where you login from /wp-admin to something different. I think bullet proof can do this as well as the better wp security plugin. As always, back up before you do anything.
I am using BulletProof Security plugin. It does all the usual security tricks automatically, like renaming database prefixes, etc. And of course update your Wordpress often enough. Not like every time they have a new release but when you see something critical in update descriptions here https://wordpress.org/news/category/security/
In addition to Wordfence or whichever security plugin you use, also password protect the wp-admin directory through your cpanel as an additional layer of protection. You will have to sign in twice to access your login page, but since protecting my wp-admin this way, I have had ZERO login attempts.
Like others have said, Wordfence is excellent security plugin to protect your blog and login page, moreover, if you don't login too often it'll send you an email once a week notifying you which plugin/themes needs to be updated and how many failed logins you have had. If you see too many, you can always tighten up your login settings. Mine for example will lockout anyone on first attempt if they try to login with invalid user name or password.
Hi Everyone I just posted a blog here on BHW regarding WordPress security, please take a look. I hope it will be some help to you and others as well. Thank you!
