Your WP website is under attack

Bed & Breakfast / Short Term Rental Host Forum

Help Support Bed & Breakfast / Short Term Rental Host Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

Morticia

Well-known member
Joined
May 22, 2008
Messages
17,771
Reaction score
685
We discussed this years ago when the attacks became abundantly prevalent. It's good to check in now and again as we have many, many new members. If you are building your website using WordPress one of the first things you should do is change the default login id of 'admin' to something else. What not to change it to - your domain name. IE - if your domain name is 'wonderfulbedandbreakfast' that should not be your login name. It should also not be your name (that info can be found using 'whois' and is an easy guess by spammers).
Another website I take care of has a plug in that tracks (and defends against) these sorts of login attempts. In the past 2 weeks 'admin' has been used 100 times to attempt to gain access to the website. The domain name has been used once.
Something else to keep in mind as you build that lovely website!
A serious password is something else to work on. Use whatever is allowed - caps & lower case, numbers, punctuation - mix it up.
'Admin'-'password' is the absolute worst combo. You can do better than that!
 
hmmm ... I can't change my login name ... I guess I will have to talk with the folks who provide backend support for the site I use that is wp
 
I use LastPass to keep totally random passwords. I also like to have passwords that are an odd number of characters as people tend to like even numbers more than odd numbers for some reason. So my passwords look like: hW#w4%we^K%SF
I end up paying $12 a year to have LastPass on my mobile, but otherwise nothing for my PC. And I only have to remember the password for my LastPass, which is a long sentence. Easy enough for me to remember, but hard enough to keep anyone else out.
 
I use LastPass also, mostly on the desktop but occasionally comes in handy on the phone, too. It's so good to have it remember not just passwords, but usernames and URLs too.
 
Gen, I hope you just didn't post the real one. I would edit it now, even if its not.
 
A good plugin to use is Wordfence: https://wordpress.org/plugins/wordfence/
Other than that, there are a couple of manual actions to be taken, such as restrictions via .htaccess. Through it you can implement some security measures even before a page is called, be it WP or not.
And of course many people forget that securing just your website is not enough. If you have a weak email or FTP password, then access can be gained without much "hacking".
Oh and one last thing: secure your Amazon accounts, as in the last couple of years many people (even security experts) fell victims to social hacking via their Amazon accounts.
 
A good plugin to use is Wordfence: https://wordpress.org/plugins/wordfence/
Other than that, there are a couple of manual actions to be taken, such as restrictions via .htaccess. Through it you can implement some security measures even before a page is called, be it WP or not.
And of course many people forget that securing just your website is not enough. If you have a weak email or FTP password, then access can be gained without much "hacking".
Oh and one last thing: secure your Amazon accounts, as in the last couple of years many people (even security experts) fell victims to social hacking via their Amazon accounts..
I agree. I use Wordfence on all sites. It also helps speed up load time of a site.
 
A good plugin to use is Wordfence: https://wordpress.org/plugins/wordfence/
Other than that, there are a couple of manual actions to be taken, such as restrictions via .htaccess. Through it you can implement some security measures even before a page is called, be it WP or not.
And of course many people forget that securing just your website is not enough. If you have a weak email or FTP password, then access can be gained without much "hacking".
Oh and one last thing: secure your Amazon accounts, as in the last couple of years many people (even security experts) fell victims to social hacking via their Amazon accounts..
I agree. I use Wordfence on all sites. It also helps speed up load time of a site.
.
Putting the /wp-admin/ behind HTTP authentication almost completely denies bad intentions.
Something about it here: http://www.wpwhitesecurity.com/wordpress-security-hacks/securing-wordpress-wp-admin-htaccess/
 
OK, so I just installed WordFence and attempted to run the scan. It stopped saying it reached a fork and cannot continue. It doesn't say where or how to fix it. Any ideas?
 
Another question: I'm looking at a live traffic report that shows bot attempts (not humans) to find pages that all end in /feed/. What does that mean?
I thought I understood that to mean those pages (with /feed/ at the end) had been bookmarked but these are errors showing 'page not found'. The page exists, but not with /feed/ in the URL.
 
On a whole other note -creepy! I'm looking at the stats trying to figure out what all these live traffic things mean and up popped one from a nearby state. Then the phone rang. And the person asked for the room that showed up in the live traffic. I'm closing that window down now. That was too weird. Too Big Brother for me.
 
On a whole other note -creepy! I'm looking at the stats trying to figure out what all these live traffic things mean and up popped one from a nearby state. Then the phone rang. And the person asked for the room that showed up in the live traffic. I'm closing that window down now. That was too weird. Too Big Brother for me..
You can see the same in Google Analytics Live View :) But yes, it is interesting sometimes to see how a live human being goes from one page to another, and then you see the checkout page and you cross your fingers :)
 
Another question - I'm looking at the 'page not found' errors on WordFence and a lot of the pages it says are not found are real pages. Any ideas?
Also, not overly happy with all the attempts to login using 'admin' but happy I changed the login!
 
Another question - I'm looking at the 'page not found' errors on WordFence and a lot of the pages it says are not found are real pages. Any ideas?
Also, not overly happy with all the attempts to login using 'admin' but happy I changed the login!.
Do you have wordfence plugin? I don't remember
 
Another question - I'm looking at the 'page not found' errors on WordFence and a lot of the pages it says are not found are real pages. Any ideas?
Also, not overly happy with all the attempts to login using 'admin' but happy I changed the login!.
Do you have wordfence plugin? I don't remember
.
EmptyNest said:
Do you have wordfence plugin? I don't remember
That's where I'm seeing the errors - in word fence. I just installed it yesterday.
 
Another question - I'm looking at the 'page not found' errors on WordFence and a lot of the pages it says are not found are real pages. Any ideas?
Also, not overly happy with all the attempts to login using 'admin' but happy I changed the login!.
Do you have wordfence plugin? I don't remember
.
EmptyNest said:
Do you have wordfence plugin? I don't remember
That's where I'm seeing the errors - in word fence. I just installed it yesterday.
.
Yep. I got sick of getting the emails so I just don't put in an email address so they can bug me. It will still do its job
tounge_smile.gif

 
Back
Top