I’d like to help, but first, are you joking, a totally insecure credential set as well as insider attack and you’re wondering how to defend? Seriously, is this an April 1 joke? MTN
Sadly no, I wish I were joking. I don’t believe it to be an insider, just someone who has data mined email addresses. The folks running this biz chose poorly against my recommendations and I suspect will be paying the price of the poor choices.
–jeff
Ok Jeff, you can understand my reaction! In any case, how about just obfuscating the login, or is your client just too inept to use a different login URL, just as they can’t deal with changing their password? I use WPS Hide Login to good effect. You’d still get the attempts but they never get to the login form. MTN
Understandable, they use some small time hosting service, friend of friend deal. Also against my recommendations. I think the hoster got hacked at some point and these ner-do-wells might have been in on that hack or at least got their hands on the data. I say that, as the name of the hoster shows up once in a while on the login attempts.
I’ve thought about hiding the login page, but have balked against doing it for two reasons; one I see many comments that say it just doesn’t help, two the site uses S2member and I suspect it may break that plugin. Clearly, need to spend more (unfunded) time to look into that second item.
–jeff
Well, hiding the form can definitly help and if appropriate for your website is incredibly easy to test, that way you can decide for yourself. It takes at most 10 minutes to set up. But perhaps it’s not appropriate. My take would be something like “if the owner can’t change his password, that’s the equivalent of parking his car in a high crime area and leaving a door open, who can deal with that in any effective way?”
But I’d also consider the fact that you’ve got a stack of possibly vulnerable plugins sitting there like a time bomb. Which leads me to ask, how do you keep WordPress updated if you are using orphaned plugins? Usually such plugins eventually fail due to WordPress updates. Or, you are not updating WordPress?
Nothing Wordfence can really do for you, as your problem is on the human behavior side.
MTN
Wordpress and Wordfence are always up to date, the orphans just remain broken, to be honest since this site has been on death’s door for the last two years, I really haven’t done much more than keep things updated.
Understood on the human behavior aspect, guess I will give the hidden login page a whirl, and talk to the owner and try to get them to at least let me refresh the site and get rid the cruft.
–jeff
Hi Jeff,
I can see you mentioned WordPress and Wordfence are up to date, what about the theme used? and also other plugins as well, everything must be up to date.
Some of the theme functions used might reveal users’ data as well, perhaps badly-coded widget or something else.
In your case, I recommend going through “Checklist – How to Secure Your WordPress Website” and apply as many as you can on this website.
Thanks.
