WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
I hid wp-admin but hackers are still finding it (12 posts)

  1. hlanggo
    Member
    Posted 1 year ago #

    I finally decided to use hide backend because the daily number of login attempts by hackers was reaching triple digits.

    Unfortunately, they are still able to find my backend. The login attempts are still over 100 per day.

    Is this normal (even for a small site)? It only receives about 200 visitors a day.

    http://wordpress.org/extend/plugins/better-wp-security/

  2. Craig Hesser
    Member
    Posted 1 year ago #

    hlango, what you are reporting does not seem to be normal to me. It sounds like your site must be very enticing in one way or another: money, sex, drugs, SEO secrets, or ??? ;-)

    From the way you wrote it, nobody has managed to get inside yet? Did you put a harder limit on wrong access attempts?

    Just as a matter of principle, I am allowing only three wrong attempts from the same user and also from the same host, and have a 10+ hour delay before they can try again. I also blacklist after being blocked only 3 times.

    I don't have any addresses blacklisted yet, but I just raised the barrier about two weeks ago. My six sites with BWPS installed pull a total of over 200 unique visitors per day.

  3. hlanggo
    Member
    Posted 1 year ago #

    I did not receive an email notice of your reply, that's why it's only now when I'm replying.

    Also, lol - no illegal things on any of my sites - I don't even have any advertisements (since I do not like ads).

    I'll try limiting number of wrong attempts. I didn't even know I could do that. That's very reassuring.

  4. Handoko
    Member
    Posted 1 year ago #

    One of the great feature of this plugin is to change the login slug (under menu > Security > Hide Backend).

    Unfortunately, many hackers have already found a way to skip this login barrier. This issue has discussed several times, but it seems the author still very busy has no time to fix it.

    You can read more info also a quick temporary fix here:
    http://wordpress.org/support/topic/plugin-better-wp-security-bypass-to-login-hide-or-hide-backend
    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how

  5. hlanggo
    Member
    Posted 1 year ago #

    I wonder if the fix mentioned at:

    http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how

    - can be pulled off with the Redirection plugin.

    I will attempt later on.

  6. Craig Hesser
    Member
    Posted 1 year ago #

    @hlanggo
    I was away - I now have a relatively large number (for me) of IP addresses and IP ranges blacklisted. What I do now is this: (1) if anybody gets blacklisted by BWPS, (2) then I put them on a manual list which I utilise in the manual blacklist box on all my websites with BWPS installed. (3) Also, I blacklist the entire range that shows up on who.is, not just the individual IP addresses.

    It is a little kinky dealing with the way BWPS interprets the * wildcard character. You can get a better idea if you see what shows up on the list in the .htaccess file, and also what happens when you do the blocking on your hosting control panel.

  7. hlanggo
    Member
    Posted 1 year ago #

    Still did not receive email notification of follow-up post.

    I wasn't able to use Redirection to fix the problem, but (for some reason) the number of login attempts dropped down to practically 0 recently.

  8. Handoko
    Member
    Posted 1 year ago #

    It glad to hear the bad login attempts dropped.

    I wasn't able to use Redirection to fix the problem.

    Please explain more, I'm interested to hear.

    BulgariaRealtor suggestion is good, I use such similar way (but more complicated). Here is good tool to check the IP:
    http://www.projecthoneypot.org/search_ip.php

  9. hlanggo
    Member
    Posted 1 year ago #

    I tried to use Redirection to redirect loggedout=true to another URL. It didn't work.

    I haven't tried the htaccess fix. I prefer to not touch htaccess.

    Fortunately, the hackers kept trying with username "admin". If I do see login attempts with the correct username, I'm going to try the htaccess fix.

  10. Handoko
    Member
    Posted 1 year ago #

    I tried to use Redirection to redirect loggedout=true to another URL. It didn't work.

    How did you do it? Using a plugin? I ever tried to use plugin, and yes, not working too.

    Hackers are stupid, they only know "admin". But it will be great if hackers never touch my sites. I won't give them any chance not even waste my bandwidth.

  11. hlanggo
    Member
    Posted 1 year ago #

    http://wordpress.org/extend/plugins/redirection/

    I use it to redirect old urls to new ones. It didn't work with loggedout=true, unfortunately.

  12. Handoko
    Member
    Posted 1 year ago #

    If I'm not wrong, I ever tried it and some other redirection plugins. Because the way this Better WP Security works, other plugins are unable to redirect the login url. So perhaps the only way is to edit the .htaccess file manually.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic