Forums

WordPress › Support » How-To and Troubleshooting

Site Hacked Twice (10 posts)

  1. colej2k
    Member
    Posted 7 months ago #

    One of my wordpress sites has been hacked twice now by the same Turkish hacking scum. I did change passwords the second time, 15 characters long with various combinations etc but that didn't stop them.

    In the end I had to rename the login file to stop them from doing it a third time, it would seem they simply used a password app that used brute force to get entry because WordPress doesn't have a attempt blocker ie password wrong for 3 attempts and you are locked out 30 minutes or something. Anyway I just wanted to say how disgusted I am at how easy you make it for them

  2. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    http://wordpress.org/extend/plugins/login-lockdown/

    (though personally it drives me nuts to be locked out, myself, when some moron tries to log in as me X numbers of times)

    You should also read http://codex.wordpress.org/Hardening_WordPress

    Do you have any proof or evidence to imply that this is a brute force attack, and not something else? Server logs etc?

  3. colej2k
    Member
    Posted 7 months ago #

    Yes, after the second hack I changed the wp-login.php and it never happened again but someone had tried to change my password via the forget password, shame I reset my email address after the hack.

    Like I said though I'm disgusted that WordPress hasn't thought about putting some simple security behind the login screen

  4. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    Anyone can go to any site and click the 'forgot password' link. That's not a security hole, that's just ... the bane of the internet, really.

    Were they trying to login as the same ID every time? Have you renamed your Admin ID to something else?

    (How are you going to login with a renamed login file, out of curiosity?)

  5. colej2k
    Member
    Posted 7 months ago #

    No but thats what they had to revert to once I renamed the wp-login.php file, they thought they still had one of their email addresses on the admin profile.

    The HUGE security hole has already been mentioned but you've clearly ignored that and gone for what I mentioned they did next!

    I log into my site by changing the wp-login.php file back, it's a pain but its kept the hackers out.

  6. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 7 months ago #

    I didn't ignore it, I just don't have an opinion on it as a security hole (been running WP for over 5 years now without anyone managing to brute force my password). I'm more inclined to think you're using crappy passwords, to be honest, based on my experience.

    Check the password you use against http://howsecureismypassword.net/

    I've been using password 'phrases' for a while and my password is both over 16 chars long and has punctuation (though no numbers) and it STILL shows up as "About 1 trillion years" to brute force.

  7. John
    Member
    Posted 7 months ago #

    As Ipstenu mentions, there are plugin options available for doing login locking. If they ever did roll such a function into the core, it would have to be possible to disable it and I would NEVER want it applied to my admin account under any circumstances.

    Lockout features create the ability to keep the legitimate user out as well. Nothing should ever prevent the Admin from logging into their WordPress site/multi-site when they need.

    That said, please please PLEASE read the hardening WordPress doc that was referenced. WordPress fits a lot of different needs for a lot of different people, so sometimes things are quite left flexible, but I highly encourage picking the hardening measures that are appropriate to you and implementing them.

  8. colej2k
    Member
    Posted 7 months ago #

    No Ipstenu you ignored it just like you ignored me saying I had a 15 character password like so mAI49(>5@zip;[6 (not the one I used)

    Now please stop trying to be clever by dissing people who have genuine concerns about security and the fact WP hasn't got any protection built in to stop brute force password attackw

  9. colej2k
    Member
    Posted 7 months ago #

    John, I'm changing the login file while not in use. I shouldn't have to do this but until WP introduce some protection I don't really have a choice. My site was hacked twice in three days but changing the file name has stopped it happening a third time.

    You'll note when you sign into forums of any make they have protection of limiting wrong passwords for a reason!

  10. MickeyRoush
    Member
    Posted 7 months ago #

    Are they accessing your default login screen? Maybe you should hide the login screen via htaccess or with a plugin.

    http://wordpress.org/support/topic/protect-you-wordpress-site-with-wsecure-authentication-1?replies=1

    I'm currently using wsecure myself and is worth the $5 spent. I've previously used their Joomla version and have been happy with their service as well. I don't have any affiliation with them, this is just from experience.

    The Better WP Security plugin does something similar to WSecure, but does it via htaccess. Plus the Better WP Security plugin offers other brute force prevention methods among many other options.

    http://wordpress.org/extend/plugins/better-wp-security/

Reply

You must log in to post.

About this Topic

Tags