1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress security

Discussion in 'Black Hat SEO' started by Iceman1978, Jun 1, 2014.

  1. Iceman1978

    Iceman1978 Registered Member

    Joined:
    Nov 15, 2013
    Messages:
    68
    Likes Received:
    4
    Location:
    Kent,England
    I recieved an email to say an attempted log in had been made on one of my wordpress blogs. It was obviously a hack attempt as I have not used this blog for a while. I have it sorted now but im wondering if there is a security thing I can use that updates my plugins and themes automatically. I have a security plugin on it but when I went to the blog it said it needed updated and I believe it is when a plugin needs updated that hackers can get in. But i have over 200 blogs and it can be very time consuming to keep checking them all for updates all the time.
     
  2. pxoxrxn

    pxoxrxn Supreme Member

    Joined:
    Dec 21, 2011
    Messages:
    1,397
    Likes Received:
    2,066
    It's the other way round, someone finds an exploit in a plugin so they update it.

    You can get plugins that allows you to manage all your blogs from one blog. I'm not sure what the best one is, that's something you'll have to figure out and let us know when you do.
     
    • Thanks Thanks x 1
  3. jennyfromtheblock

    jennyfromtheblock Newbie

    Joined:
    Apr 25, 2014
    Messages:
    9
    Likes Received:
    0
    Yes keep all your security plugins upto date, but sometimes people may also try logging into your website by trying out different passwords.
     
  4. pxoxrxn

    pxoxrxn Supreme Member

    Joined:
    Dec 21, 2011
    Messages:
    1,397
    Likes Received:
    2,066
    You can avoid a brute force attack by using passwords like N(C#@4 &m"715jT from https://strongpasswordgenerator.com/

    The amount of computing power it would take to crack that password makes it not worth trying.
     
    • Thanks Thanks x 2
  5. Axioms

    Axioms Junior Member

    Joined:
    May 16, 2014
    Messages:
    118
    Likes Received:
    110
    If you are worried, you can always install a wordpress plugin called "login lockdown". This will prevent any brute force attempts.
     
  6. HerpDerpSlerp

    HerpDerpSlerp Power Member

    Joined:
    Mar 19, 2013
    Messages:
    778
    Likes Received:
    623
    This doesn't seem like a plugin exploit as your notification was an attempted login alert. I am assuming wordpress has some type of notification setting when a login is attempted. There are numerous ways you can help circumvent an attack depending on your programming knowledge and how active you are

    ->Change the login directory
    ->Change the default admin login name from "admin" or "steve" to something as complicated as the password
    ->use a 20+ character password with letters,numbers,characters etc
    ->completely remove the "login" folder from your server and only upload it when you are using it
    ->block comment out the select sql statement on the login page until you are ready to use it

    These are just a few examples. I don't use wordpress but I use many of these practices on logins I use for websites I maintain. The more popular the site the more security I use.
     
    • Thanks Thanks x 1
  7. RockstarSEO

    RockstarSEO Jr. VIP Jr. VIP Premium Member

    Joined:
    May 16, 2014
    Messages:
    465
    Likes Received:
    69
    I found that one my wordpress site was hacked and a payday link was added in there and I was wondering why the website isnt ranking. I actually saw that link the google cache.

    Right from that point I have added the security plugin - iThemes Security. Has lot of options like changing admin id , wp-content folder and quite many options like HerpDerp has said. You could do that with that plugin. Do give it a try
     
  8. salmanseo982

    salmanseo982 Regular Member

    Joined:
    Jan 28, 2014
    Messages:
    465
    Likes Received:
    40
    contact your hosting support and say them run scan there will bi detect a file delete if its not work open ur hosting go to content folder of WP check all file names u will find a 2 files name r just like same same one original other will hacker file just small coding means 3 or 4 line coding change the name of file butt dont delete its will harm ur DB
     
  9. SavyCon

    SavyCon Regular Member

    Joined:
    Jun 25, 2012
    Messages:
    259
    Likes Received:
    86
    Location:
    Taha'a
    HerpDerpSlerp (great name by the way) is the comment you should listen to.

    Here's an example of what he or she is talking about:

    Site name: BuyExamples.com
    Admin Login: GoshDarnItDoILoveToDanceInRain
    Password: IsntItPrettyAwesomeWhenPeopleGoPlayOutside&YesItIs

    ^that would take a computer a MASSIVE amount of time to find.

    You can also rename the /wp-admin/ folder or remove it until use (that requires FTPing/SSHing into your sever). But web spiders can find any of your obfuscations.

    Download WordFence Security.

    For more read:
     
  10. ButcherBoy

    ButcherBoy Regular Member

    Joined:
    Apr 3, 2009
    Messages:
    390
    Likes Received:
    79
    Location:
    Planet E.
    First step you should do:
    Password protect /wp-admin/ directory

    This way you will prevent multiple login attempts from bots and so on.

     
  11. roadhamster

    roadhamster Regular Member

    Joined:
    Mar 12, 2012
    Messages:
    300
    Likes Received:
    226
    I use wordfence for this. You can set the number of failed login attempts to, let's say 1. If a hacker tries to login and the login is false, then the hacker would be blocked for a specific amount of time. This way it will become very hard for the hacker to brute-force the user name and password.
    But in the first place: change the standard admin and choose a hard-to-guess password.
     
  12. michaelr1988

    michaelr1988 Regular Member

    Joined:
    Apr 25, 2011
    Messages:
    470
    Likes Received:
    307
    Location:
    UK
    Login lockdown and bulletproof security does the trick for me. It also helps to rename the tables something different to wp_ and change the url where you login from /wp-admin to something different. I think bullet proof can do this as well as the better wp security plugin.

    As always, back up before you do anything.
     
  13. silken

    silken Junior Member

    Joined:
    Apr 18, 2011
    Messages:
    112
    Likes Received:
    56
    I am using BulletProof Security plugin. It does all the usual security tricks automatically, like renaming database prefixes, etc.
    And of course update your Wordpress often enough. Not like every time they have a new release but when you see something critical in update descriptions here https://wordpress.org/news/category/security/
     
  14. harleyquinn

    harleyquinn Newbie

    Joined:
    Sep 20, 2014
    Messages:
    11
    Likes Received:
    6
    In addition to Wordfence or whichever security plugin you use, also password protect the wp-admin directory through your cpanel as an additional layer of protection. You will have to sign in twice to access your login page, but since protecting my wp-admin this way, I have had ZERO login attempts.
     
  15. bahus

    bahus Regular Member

    Joined:
    Jun 4, 2014
    Messages:
    228
    Likes Received:
    63
    Gender:
    Male
    Like others have said, Wordfence is excellent security plugin to protect your blog and login page, moreover, if you don't login too often it'll send you an email once a week notifying you which plugin/themes needs to be updated and how many failed logins you have had. If you see too many, you can always tighten up your login settings. Mine for example will lockout anyone on first attempt if they try to login with invalid user name or password.
     
  16. sunny_clicks

    sunny_clicks Regular Member

    Joined:
    Jul 25, 2010
    Messages:
    244
    Likes Received:
    23
    Gender:
    Male
    Occupation:
    PPC Account Manager Buckdat Media
    Location:
    The Web
    Hi Everyone
    I just posted a blog here on BHW regarding WordPress security, please take a look. I hope it will be some help to you and others as well.
    Thank you!