WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Stopping recurring hacking attempts (16 posts)

  1. So when a user is blocked out from loggin in (a phisher or hacker)... I receive this message:

    A user with IP address 80.35.80.139 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username to try to sign in.
    User IP: 80.35.80.139
    User hostname: 139.Red-80-35-80.staticIP.rima-tde.net

    Is there anything I can do with that information?? A way to blacklist or further protect against them?

    I have my settings set to auto lockout after one failed login attempt... since I'm the only one who should be logging in.

    Thank you!

    http://wordpress.org/extend/plugins/wordfence/

  2. gizmomol
    Member
    Posted 1 year ago #

    If you are using a Unix like system Linux, BSD, etc you can block them using iptables by entering this at the command line:

    iptables -A INPUT -s 80.35.80.139 -j DROP

    If you do that you should read up on the iptables commands and be able to unblock people too.

    You can also use a package like "fail2ban" which has sample rules for dynamically blocking wordpress hackers. "fail2ban" can block at the iptables level or block at the application level.

  3. Thank you for the very prompt response.

    Here is another one I received:

    User IP: 80.28.254.179
    User hostname: 179.red-80-28-254.adsl.static.ccgg.telefonica.net

    Is what you are suggesting going to block this one as well? I just don't understand how IP addresses work and how best way to handle this.

    I don't use a Unix system (I don't think). I use HostGator for hosting. Perhaps this is something I can access via my CPanel with them? Otherwise I work on a winxp system.

  4. And here is another.. so apparently the IP address is from all over the place??

    User IP: 188.76.146.139
    User hostname: 139.146.76.188.dynamic.jazztel.es

  5. gizmomol
    Member
    Posted 1 year ago #

    Cpanel has an IP Deny Manager, which you can use to block hosts.

    However, failed login attempts are common for wordpress as well as servers everywhere. It can be disconcerning to see them, but that is reality.

    I would not try to block very many ip addresses, maybe just the ones that repeadly try over and over.

    You might want to install a couple of plugins to show who is trying to login like "simple login Log" and "User Locker". Make sure you close comments on posts over two weeks old, and add another administrator user and remove the default "admin" user after that.

    WordPress has poor password enforcement so you might want to install a plugin to improve that. Search for "enforce password" on the wordpress plugin site.

    I just reread you first message and see you are the only user. I susggest you use a long password, say 15 characters with Mixed case, numbers and some special characters like "~!@#$%^&*()_+"

    Then the Login log will show yourself and the people attempting unsuccessfuly to login.

  6. Fantastic advice. Thank you very much. I will do all of that.

    I agree, I don't want to block any ip address... unless I know specifically it is a hacker.

    Yes, seeing them attempt is scary.. but much better than knowing they were able to get through. I sell premium plugins, and it seems my site is a target.

    The one thing I don't quite understand is the admin user. Since I'm the only user... you're saying I should create a new admin user and delete my original?

    Will this have any effect on my id number used for admin in the database? Some of my custom codes rely on admin being the number one user.

    Thank you again for your help. WordPress security is definitely not my area of expertise :)

  7. gizmomol
    Member
    Posted 1 year ago #

    The "Admin" user is the most frequent target for hackers. You certainly can add other userid's with administrator roles, and some admins remove the default one after they have other working admins.

    It's better to code to check user roles rather than program specific userid numbers.

    Use something like:
    <?php if ( current_user_can('manage_options') ) { do_something(); } ?>

  8. MickeyRoush
    Member
    Posted 1 year ago #

    @Josh

    If you really don't require anyone but you logging (nor registering, I assume) into your site you can stop it within .htaccess.

    Put this in your .htaccess file. It will redirect anyone that you don't specify (via IP) to your home page or wherever you like.

    RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
    RewriteRule ^wp-(login|register)\.php http://example.com [R,L]

    Where xxx.xxx.xxx.xxx is your static IP Address. Can be modified to just work for Class A, B, or C if you have a dynamic IP Address.

    Where example.com is your TLD. That way they're just redirected to your home page.

  9. @gizmomol,

    Thanks for everything. I have followed your advice.. and I think I actually slept a little "safer" last night ;) I agree with the coding. The only reason I stuck with ID=1 is because I knew I would be the only admin on this particular installation.

    @MickeyRoush,

    YES!! I love this approach. That is correct. I am the only one who will ever need to login. No other users will ever need to login or register.

    Forgive my green-ness. What is the best method to determine my ip address? Should I just use an online site?

    And "TLD"? I'm assuming that would be my site home page?

    So, then to test this I can try to use a friends computer (which will have a different ip) to login to the admin panel and make sure it redirects me to the home page?

  10. MickeyRoush
    Member
    Posted 1 year ago #

    @Josh,

    TLD = Top Level Domain = your domain (example: http://www.mysite.com)

    You need to use your IP that web-servers see, so any online tool will work.

    Or you can just go to: https://www.arin.net/
    At the top will be your IP. You need to see if it changes. Only you will know if it's static (never changes) or it's dynamic (changes).

    Are you familiar with your .htaccess file? Once you find your IP you can put those rules beneath your WordPress permalinks.

    Or after:

    # End WordPress

    Just remember, you need to be able FTP/SFTP/SSH your site to edit the file in case your IP changes.

  11. Yes, I'm fairly familiar with the .htaccess. I'm using BulletProof Security plugin in an added attempt to thwart the hackers.

    It allows you to add custom code to the .htaccess.

    I think I have it setup correctly. I'm not going to go test from a different computer, which hopefully has a different IP.

    I'll post back shortly.

    (Yes, very familiar with FTP)

  12. Well, I have a modem with a router... and all my computers here have the same IP when I go to ARIN.

    I'll have to wait until morning and call a friend when they wake up.

    You mention...

    Can be modified to just work for Class A, B, or C if you have a dynamic IP Address.

    What does this mean? Class?

  13. Okay. I packed up the laptop and went to leech off of Buckhead's Restaurants Free WiFi.

    I navigated to my wordpress login page and PRESTO... REDIRECTED to home page!! YAY!!

    This is awesome. I cannot thank you enough for this. So as long as my IP doesn't change, I'm good. And if it does, I can simply FTP and change it in the .htaccess?

    Thank you both. I really appreciate (and utilized) your help gizmomol!! However, this I think is exactly what I needed.

    I'm marking this thread as a BIG FAT RESOLVED!

    (Can you tell I'm happy??)

  14. MickeyRoush
    Member
    Posted 1 year ago #

    Josh wrote:

    What does this mean? Class?

    Here is an IP:
    123.456.789.abc (just assume abc is numeric.)

    123 = Class A
    456 = Class B
    789 = Class C
    abc = Class D

    If you had a dynamic IP, your last octet or Class D would most likely change, so you could just use your class C for the rules.

    123.456.789 or

    RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.

    Leaving off the $ (end of string character).

    Josh wrote:

    So as long as my IP doesn't change, I'm good. And if it does, I can simply FTP and change it in the .htaccess?

    Correct!

  15. You sir, are simply awesome. I understand it now.

    Why is it... the more I learn... the more I realize I don't know??

    This is simply perfect!

    One zillion Thank You's to you!!

  16. I just wanted to stop back by and add that I haven't received one report of any attempts on hacking my login information.

    Also, I haven't had any malicious code inserted into my website.

    I cannot thank you enough!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.