Wordpress Themes - WP Forum at BFA

Wordpress Themes - WP Forum at BFA (http://forum.bytesforall.com/index.php)
-   Web Hosting for WordPress (http://forum.bytesforall.com/forumdisplay.php?f=13)
-   -   Repeated hack attempts on my site (http://forum.bytesforall.com/showthread.php?t=21298)

paulae Dec 20, 2013 05:38 AM

Repeated hack attempts on my site
 
This is just an FYI for everybody here.

Last night, I received 9 emails from the Wordfence security plugin on one of my sites. The most important of my sites, in fact. I'll paste it here, with the site name redacted:

This alert was generated by Wordfence on "XXXXXXXXXX" at Thursday 19th of December 2013 at 09:16:38 PM

A user with IP address 112.199.116.75 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'root' to try to sign in.
User IP: 112.199.116.75
User hostname: 75.116.199.112.clbrz.inet.eastern-tele.com


I never use "admin" or "root" as my admin name when installing Wordpress. I have several types of security plugins installed. But this kind of hack attempt is still scary. And I didn't feel warm and fuzzy after contacting Bluehost about it. I emailed them just to alert them that my site was under attack, and I thought they might want to know, since I'm sure mine is not the only Wordpress site hosted there that's being hit right now. I got back a boilerplate "here's what to do if your site has been hacked" email. Obviously, no human ever read my email.

So, this post is just a warning: never use "admin" or "root" or some other generic word as your admin username, have a strong password, and use security plugins. There are other Wordpress hardening methods discussed at wordpress.org and on many Wordpress-oriented websites. Be safe out there!

juggledad Dec 20, 2013 06:55 AM

Actually it doesn't matter what name you use, there is a way to find all the user ID's :(

I've actually taken to banning entire countries in my htaccess file.

juggledad Dec 20, 2013 07:18 PM

@stb: it doesn't matter what user name you use. If you want me to prove it. point me at one of your sites and I'll tell you the userid.

This shocked me too when I saw in m log someone tring to login with an id that no one, I mean no one but I knew what it was, but...there is a way to determine what it is.

juggledad Dec 21, 2013 03:00 AM

BTW - my current security method is to rename 'wp-login.php' to another name.

IMPORTANT if you do this, you must edit the file and do a global rename of 'wp-login.php' to the new name you chose and you must do this after each WP update

I even have a htaccess rule to send anyone using wp-login.php to another page telling them it's not nice to try and hack.

juggledad Dec 21, 2013 04:56 AM

If they don't know the name of the login file, they can't try a brute force attack. And sorry, but if you think the bots aren't set up to discover your id you have your head in the sand.

And I discovered this because I was being hacked and I am providing a possible solution. So should I keep this solution private, is that what you are saying?

Discussing a security hole that is already being used by the bots is not a bad idea (IMHO) and telling people to rename wp-login.php makes it much more difficult for a hacker to get in because they have no idea what the login php file is, but you will.

I will admit that this doesn't help sites that allow users to login, but I don't - the only ones that can login to our site are authorized.

If you check your access logs on your server I'm willing to bet you are being targeted.

juggledad Dec 21, 2013 05:18 AM

to give anyone who is interested some more information, here is what happens

someone trys to use wp-login.php. The code in .htaccess sends them to the first html file (it can have any name) which redirects them to a second html file after a set period (the '8' seconds). The second html file tells them to stop hacking.

1) rename wp-login.php to 'xxxxxxx.php' (where xxxxxxx is some text string you pick)
2) Edit the file (use a TEXT editor) and change all occurrences of the string 'wp-login.php' to the new name. You must do this or logins will fail!
3) add a line in your .htaccess file
HTML Code:

RedirectMatch 301 ^/wp-login\.php$  http://yourdomain.com/wp-content/badbot-403.html
4) create a file 'badbot-403.html with the following
HTML Code:

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>
    </title>
    <meta http-equiv="refresh" content="8;url=http://yourdomain.com/wp-content/badbot-warn.html" />
  </head>
  <body>
  </body>
</html>

the reason for this is the '8' it delays 8 seconds before transfering to the next page - delaying a bot a little (every little bit helps) but not messing it up for any of my users that forget and use the wrong login file name
5) create another file 'badbot-warn.html' with
HTML Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<title>Please stop hacking</title>
</head>
<body>
<br /><br /><br /><br /><br /><br /><br />
<br /><br /><br /><br /><br /><br /><br />
<div style="text-align: center;">
<span style="color: #000000; font-size: 24px;">Invalid Login Attempt
</span></div>
<br /><br /><br /><br />
<div style="text-align: center;">
<span style="color: #ff0000; font-size: 34px;">Your computer has attempted to login to this site.<br />Please stop hacking.</span></div>
</html>

Now you have to use the name of what you changed wp-login.php to - for example:
If you changed 'wp-login.php' to 'ha-try-and-find-this.php' you would use 'yourdomain.com/ha-try-and-find-this.php' - you can not use 'your domain.com/wp-admin' because that calls wp-login.php and off to the warning you go.

All this won't stop hacking attempts but it will slow them down a bit.

juggledad Dec 21, 2013 05:53 AM

@STB: I humbly disagree with you. It is now a known issue that userid''s can be discovered. It doesn't matter what you use as an admin id IT CAN BE DISCOVERED - so telling people not to use 'admin' really doesn't matter

period , end of story!! nothing more , nothing less

capice?

p.s. if you want to reply to a PM do so in a PM not in a thread
this topic is closed.


All times are GMT -6. The time now is 12:07 AM.

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.