Membership is FREE, giving all registered users unlimited access to every Acorn Domains feature, resource, and tool! Optional membership upgrades unlock exclusive benefits like profile signatures with links, banner placements, appearances in the weekly newsletter, and much more - customized to your membership level!
Sedo Global Domain Report

Wordpress access attempts

Status
Not open for further replies.
Admin

Admin

Administrator
Staff member
Joined
Jun 14, 2004
Posts
11,076
Reaction score
962
My Wordpress sites are constantly under attack from people trying to log in as admin.

DO NOT use any of these usernames for your admin account;
aaa
adm
admin
admin1
administrator
manager
qwerty
root
support
sysadmin
test
user

I am seeing attempts with these from all over the world so there must be some WP hacker tool that cycles through these by default.

I install WordFence and set it to block invalid usernames so when they try any of these they get blocked at the same time and I get an email alert. I had 500 alerts from one site alone yesterday.

Admin
 
Yep - same story here.

But as you rightly say Wordfence is a handy plugin for dealing with these attempted logins... the number of email alerts due to those logins can be a pain though ;)
 
Haven't used Wordpress myself for a few years but security through obscurity, aka renaming the path to your admin login should also work, right?
 
I have just limited my admin page to my ISPs IP range, as one of my major security fixes. This cut the number of invalid login attempts down to 1-2 a week from 20+ of them.

Login Attempt Limits work well too, lock out account for 90 minutes after 2 wrong attempts, then lockout for 5 days after 2 short lockouts so 4 attempts over 2 hours and its 5 day kill.
 
Login Lockdown is also an effective straightforward plugin to prevent these kind of attacks. It records the IP address of all failed login attempts and you can set a limit of how many attempts are possible from a specific IP before it blocks that address for a set period of time (I believe the default is 3 attempts and a block of one hour)

http://wordpress.org/plugins/login-lockdown/

NB: Ignore the fact that in the plugin directory it says it hasn't been updated for 2 years - it works perfectly with current version of Wordpress. (Was recommended it by someone from Ithemes who stressed the lack of an updated version is simply because the code is rock solid and doesn't actually require updating)

One slightly annoying thing is that it puts a "protected with Login Lockdown" style ad on your login page however you can remove this by adding the following code to functions.php once you've installed it

remove_action('login_form', 'll_credit_link');
 
Also....As Admin said using an obvious user account name is a definite no-no but whichever name you choose it's probably also a good idea to create at least two separate accounts - one which you solely use for administrative backend purposes (and never post with) and another one for posting.

If you also use your main admin account name (Joe Bloggs or whatever) for posting then the hackers are going to have access to your login name anyway on the links in your posts. (Even if you specify a "nickname" in Settings>General to display on your posts I believe I'm right in saying the actual account name still displays in certain circumstances, ie when links for the author page are hovered over)

I generally tend to have a separate account for all posting activity. With this posting account I limit the access rights to contributor or editor which would limit the damage possible if anyone guessed the login.
 
My wordpress administrator account seems to prevent the name being changed, it is greyed out, but surely even if they access the wp-admin screen, they would still need the password???
 
My wordpress administrator account seems to prevent the name being changed, it is greyed out, but surely even if they access the wp-admin screen, they would still need the password???
Click to expand...

Download better wp security

There are some quality functions in this plugin, and allows you to change the admin username, change the admin id from the default, Change table prefixes as well as loads of other things.
 
ian-d said:
My wordpress administrator account seems to prevent the name being changed, it is greyed out, but surely even if they access the wp-admin screen, they would still need the password???
Click to expand...

They would yes but in theory you're making hacking easier for them if they already have one known variable.

As Suggys suggests you could use Better WP Security. You could also simply create a new (secret) user account with full admin privileges and start using that for all backend purposes, keep posting with the account you already use but restrict the privileges on it (ie downgrade it to author/ contributor etc)
 
stellar73 said:
Login Lockdown is also an effective straightforward plugin to prevent these kind of attacks. It records the IP address of all failed login attempts and you can set a limit of how many attempts are possible from a specific IP before it blocks that address for a set period of time (I believe the default is 3 attempts and a block of one hour)

http://wordpress.org/plugins/login-lockdown/

NB: Ignore the fact that in the plugin directory it says it hasn't been updated for 2 years - it works perfectly with current version of Wordpress. (Was recommended it by someone from Ithemes who stressed the lack of an updated version is simply because the code is rock solid and doesn't actually require updating)

One slightly annoying thing is that it puts a "protected with Login Lockdown" style ad on your login page however you can remove this by adding the following code to functions.php once you've installed it

remove_action('login_form', 'll_credit_link');
Click to expand...

WordFence has this plus allows you to decide how many login attempts, block for how long and the main one I use, immediately block unknown usernames.
 
Limit login attempts is also a decent plugin. Some of the 1click installs deploy it as standard in an install so a trusted one.
 
Just an idea, but if no one else needs to log into your wordpress site (ie, its not one with subscribed users). For a bit more added security could the admin folder not be password protected. hackers would then need to crack that password before they can even think about the actual wordpress login.
 
I'm in the process of moving one of my large wordpress sites to a new server, more as a learning process but also to split it from other critical sites. All seems fine but wondering, from purely a security aspect, would you install the files in the root folder, or a separate subfolder and then simply change the url location in the control panel? Will this help reduce attacked because the wp-login won't in the root?
 
Status
Not open for further replies.

Similar threads

it.com
it.com How To Launch a Website for an IT Startup: A 3-Step Guide
Replies
0
Views
213
it.com
it.com
it.com
it.com DNS Abuse: Types and Countermeasures
Replies
0
Views
247
it.com
it.com
it.com
it.com Why Is Your Website Traffic Down? 5 Ways To Analyze And Fix Traffic Drops
Replies
0
Views
229
it.com
it.com
Acorn Newsbot
UK public sector protected from up to £223 million annual loss by PDNS cyber security solution
Replies
0
Views
653
Acorn Newsbot
Acorn Newsbot
Acorn Newsbot
Blocking Online Data Theft with DNS-based Cyber Security
Replies
0
Views
296
Acorn Newsbot
Acorn Newsbot
Domain Summit Europe 2025

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members online

Total: 278 (members: 12, guests: 266)
IT.com

Premium Members

Sedo Global Domain Report
Aucdom Auctions
Catch Club
dot Hiphop

Latest Comments

Upcoming events

New Threads

Domain Forum Friends

DNForum
ConsultDomain.de
Domaineforum.fr
Domainforum.ro
DN.ca
DomainFragen.de
Inforum.in

Our Mods' Businesses

DomainUI Mod
*the exceptional businesses of our esteemed moderators
General chit-chat
Help Users
  • No one is chatting at the moment.
      There are no messages in the current room.
      Top Bottom