• briannie

    (@briannie)


    I have used your plugin to hide the login page and it certainly has done that. Using /wp-admin or /wp-login will return a /404 which is fine and yet someone using the IP address 5.188.84.186 is still able to find my login page and attempt to get in.

    The IP Address above is shown on Google to be a Russian address whose abuse level is 100%. The secret login page I am using is the conjunction of a number of words known only to me and not found in any dictionary.

    Have you any idea how the hacker, who is clearly a professional at this, has been able to find a back door to your plugin?

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • mdsouza

    (@mdsouza)

    @briannie, were you able to sort your issue out? I ask because I’m considering switching to this plugin from another that is giving me problems lately.

    briannie

    (@briannie)

    @mdsouza I can only imagine it was a one-off as it has not happened since on this or any other website. I have used the plugin on a number of websites and it works very well indeed. I can recommend it.

    mdsouza

    (@mdsouza)

    Thank you for taking the time to reply, much appreciated.

    My penny’s worth, for what it’s worth.

    I’ve installed the plugin, and it does indeed hide wp-login & wp-admin, and I can login to my site with my new login path name, ..

    BUT! – That hasn’t stopped the hackers, who are still hitting the (a) login page with impunity.

    I’ve also got “Limit Login Attempts Reloaded” installed, and this is a small sample of this mornings log of the (illegal) logins so far:-

    August 26, 2020 20:53 93.120.167.107 skyreveryfep (1 lockouts) WP Login Unlocked
    August 26, 2020 19:53 37.115.220.118 kinokiopirapost (1 lockouts) WP Login Unlocked
    August 26, 2020 18:38 78.29.93.247 aninaalyonaa (1 lockouts) WP Login Unlocked
    August 26, 2020 18:34 161.97.103.61 Davideradede (1 lockouts) WP Login Unlocked

    I don’t think that it’s any fault of this most excellent plug-in, that is actually doing what it says on the can: I do believe that this is an internal issue with WordPress itself.

    Going off now to start digging deeper into this problem, ..

    Laters!

    @mrsjessicasimpson – Just to say since adding this plug-in and the one hack mentioned above I’ve had no problem on around 50 or more WordPress websites that I’m responsible for. I also run “limit attempts reloaded” as backup just in case but am getting no notifications so for me all is well.

    I look forward to any further information you may come up with.

    MrsJessicaSimpson

    (@mrsjessicasimpson)

    This is on the front page, but I’ve put it here for you briannie (@briannie) as well.

    It’s bloomin long btw, ..

    Hiding – Mega Huge Log Files to get your teeth into, Hackers live here.

    Kick it out – Mega Huge Log Files to get your teeth into, Hackers live here.

    I’m posting this (report) come post in both “Limit Login Attempts Reloaded” and also “Webcraftic Hide login page”, all in the vain hope that someone out there might know what to do.
    Both plugins are extraordinary by the way, but they are being circumvented.

    Below are my raw Apache Logs from the 31st, and gods honest true here: I’m having a little trouble reading them, but I’ve spread the logs out so’s to get a clearer course of events, and yes: it’s a bit long, but worth it, especially as it shows the sever-side login procedure.

    Background:

    My main site is b92mjs.co.uk
    And I have a domain parked next to it called pigsoft.net
    There’s nothing of value being shown here, and all pages are in the public domain.
    From wp-login.php, my changed secret login page is now called b92login.php

    – And revealing that top-secret-information, is a rather moot point; as you’ll soon discover.

    This particular Lock out by “Limit Login Attempts Reloaded”, got logged at nine, .. and the IP address was already in the Deny rules: yet they were still able to hit the server side of my site.
    As always: the hackers start off with my parked site and then add the conventional wp-login.php string.
    It must also be remembered, that the entire thing took seconds to complete.
    Begin.

    – [31/Aug/2020:09:56:02 +0100]
    “GET /wp-login.php HTTP/1.0” 404 69666
    “http: (//)pigsoft.net/wp-login.php” <<<<——-!!!!!! normal wp-login.php
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    pigsoft.net 77.247.181.165 –

    – [31/Aug/2020:09:56:05 +0100]
    “GET / HTTP/1.1” 301 – “http: (//)pigsoft.net/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    // They now switch their attention to my main site, ..

    – [31/Aug/2020:09:56:09 +0100]
    “GET / HTTP/1.1” 200 88022
    “https: (//)www(.)b92mjs.co.uk/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    – [31/Aug/2020:09:56:12 +0100]
    “GET /blog/ HTTP/1.1” 200 86551
    “https: (//)www(.)b92mjs.co.uk/blog/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    // This POST is interesting, but I can’t see what it does, and yes: I do have contact-form 7 installed, ..
    // But how would they know?

    – [31/Aug/2020:09:56:14 +0100]
    “POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1” 200 176
    “https: (//)www(.)b92mjs.co.uk/blog/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51″
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    // I had no idea why they kept hitting the ‘Knickers’ pages, ..
    // Then found this code below inside one of them on the Text Tab side of tinyMCE

    <div data-contents=”true”>
    <div data-block=”true” data-editor=”4rjjj” data-offset-key=”1ih5n-0-0″> </div>
    </div>

    // No clue how it got there, perhaps an old editor, but it’s now been removed.
    // Yesterday the Hackers were targeting the Submit button on my Boxzilla pop-ups.
    // I’ve removed all of them bar one.

    // Continuing ever onwards in the Hackathone, ..

    – [31/Aug/2020:09:56:16 +0100]
    “GET /knickers/enter-the-void/ HTTP/1.1” 200 79919
    “https: (//)www(.)b92mjs.co.uk/knickers/enter-the-void/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    – [31/Aug/2020:09:56:19 +0100]
    “GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1” 200 84411 “https: (//)www(.)b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    // =============== (( HERE IT IS ))=============
    // From the above, then my hidden login has been found, .. but how?
    // It can only be WordPress that’s revealing it, ..

    – [31/Aug/2020:09:56:21 +0100]
    “GET /b92login/ HTTP/1.1” 200 9570 <<<<<<<<<<<<<<<< how are they doing it?
    “https: (//)www(.)b92mjs.co.uk/b92login/” <<<<<<<<<<<<<<<< how are they doing it?

    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    – [31/Aug/2020:09:56:23 +0100]
    “POST /b92login/ HTTP/1.1” 200 9812 “https: (//)www(.)b92mjs.co.uk/b92login/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    pigsoft.net 77.247.181.165 –

    // Kicked out by “Limit Login Attempts Reloaded”, so they start yet again with my parked pigsoft.net domain, ..

    – [31/Aug/2020:09:56:25 +0100]
    “GET /wp-login.php HTTP/1.0” 404 69652
    “http: (//)pigsoft.net/wp-login.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    – [31/Aug/2020:09:56:26 +0100]
    “GET /index.php HTTP/1.1” 301 –
    “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    – [31/Aug/2020:09:56:29 +0100]
    “GET /index.php HTTP/1.1” 301 –
    “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    (//)www(.)b92mjs.co.uk 77.247.181.165 –

    – [31/Aug/2020:09:56:30 +0100]
    “GET /index.php HTTP/1.1” 301 –
    “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.51”
    77.247.181.165
    pigsoft.net 77.247.181.162 –

    – [31/Aug/2020:09:58:55 +0100]
    “GET /wp-login.php HTTP/1.0” 404 69677
    “http: (//)pigsoft.net/wp-login.php”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36”
    77.247.181.162
    pigsoft.net 77.247.181.162 –

    – [31/Aug/2020:09:58:56 +0100]
    “GET / HTTP/1.1” 301 –
    “http: (//)pigsoft.net/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36″
    77.247.181.162
    (//)www(.)b92mjs.co.uk 77.247.181.162 –

    – [31/Aug/2020:09:58:59 +0100]
    / HTTP/1.1” 200 88026 “https: (//)www(.)b92mjs.co.uk/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 77.247.181.162
    (//)www(.)b92mjs.co.uk 77.120.113.64 –

    – [31/Aug/2020:09:59:03 +0100]
    “GET /blog/ HTTP/1.1” 200 86546 “https: (//)www(.)b92mjs.co.uk/blog/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 77.120.113.64
    (//)www(.)b92mjs.co.uk 77.120.113.64 –

    – [31/Aug/2020:09:59:06 +0100]
    “POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1” 200 176
    // Yet again, the Hacking Script has detected a weakness somewhere.

    “https: (//)www(.)b92mjs.co.uk/blog/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36”
    77.120.113.64
    (//)www(.)b92mjs.co.uk 77.120.113.64 –

    – [31/Aug/2020:09:59:08 +0100]
    “GET /knickers/enter-the-void/ HTTP/1.1” 200 79949
    “https: (//)www(.)b92mjs.co.uk/knickers/enter-the-void/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36”
    77.120.113.64
    (//)www(.)b92mjs.co.uk 77.120.113.64 –

    – [31/Aug/2020:09:59:10 +0100]
    “GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1” 200 84415
    “https: (//)www(.)b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 77.120.113.64
    (//)www(.)b92mjs.co.uk 77.120.113.64 –

    // From the above, then my hidden login below has been found yet again!
    // As I say: it can only be WordPress itself that’s revealing the new login file name.

    – [31/Aug/2020:09:59:13 +0100]
    “GET /b92login/ HTTP/1.1” 200 9570
    “https: (//)www(.)b92mjs.co.uk/b92login/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36”
    77.120.113.64
    (//)www(.)b92mjs.co.uk 104.244.78.231 –

    – [31/Aug/2020:09:59:15 +0100]
    “POST /b92login/ HTTP/1.1” 200 9812
    “https: (//)www(.)b92mjs.co.uk/b92login/”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36”
    104.244.78.231
    pigsoft.net 104.244.78.231 –

    // Kicked out for the second time, by “Limit Login Attempts Reloaded”.

    – [31/Aug/2020:09:59:16 +0100]
    “GET /wp-login.php HTTP/1.0” 404 69681
    “http: (//)pigsoft.net/wp-login.php”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 104.244.78.231
    (//)www(.)b92mjs.co.uk 104.244.78.231 –

    – [31/Aug/2020:09:59:21 +0100]

    “GET /index.php HTTP/1.1” 301 – “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 104.244.78.231
    (//)www(.)b92mjs.co.uk 185.220.101.195 –

    – [31/Aug/2020:09:59:23 +0100]
    “GET /index.php HTTP/1.1” 301 – “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 185.220.101.195
    (//)www(.)b92mjs.co.uk 185.220.101.195 –

    – [31/Aug/2020:09:59:25 +0100]
    “GET /index.php HTTP/1.1” 301 – “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36” 185.220.101.195
    b92mjs.co.uk 114.119.167.156 –

    – [31/Aug/2020:10:01:31 +0100]
    “GET /wordpress-problems/how-too-add-a-vertical-menu-bar-separator HTTP/1.1” 301 – “-”
    “Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+http: (//)aspiegel.com/petalbot)” 114.119.167.156
    (//)www(.)b92mjs.co.uk 114.119.167.156 –

    – [31/Aug/2020:10:01:35 +0100]
    “GET /myoutings/how-too-add-a-vertical-menu-bar-separator/ HTTP/1.1” 200 77752 “-”
    “Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+http: (//)aspiegel.com/petalbot)” 114.119.167.156
    pigsoft.net 185.220.102.8 –

    – [31/Aug/2020:10:06:45 +0100]
    “GET /wp-login.php HTTP/1.0” 404 69661
    “http: (//)pigsoft.net/wp-login.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36” 185.220.102.8
    pigsoft.net 185.220.102.8 –

    – [31/Aug/2020:10:06:49 +0100]
    “GET / HTTP/1.1” 301 – “http: (//)pigsoft.net/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.102.8
    (//)www(.)b92mjs.co.uk 185.220.102.8 –

    – [31/Aug/2020:10:06:52 +0100]
    “GET / HTTP/1.1” 200 88043
    “https: (//)www(.)b92mjs.co.uk/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.102.8
    (//)www(.)b92mjs.co.uk 185.220.100.253 –

    – [31/Aug/2020:10:06:55 +0100]
    “GET /blog/ HTTP/1.1” 200 86559 “https: (//)www(.)b92mjs.co.uk/blog/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.100.253
    (//)www(.)b92mjs.co.uk 185.220.100.253 –

    – [31/Aug/2020:10:06:58 +0100]
    “POST /wp-json/contact-form-7/v1/contact-forms/4450/feedback HTTP/1.1” 200 176
    “https: (//)www(.)b92mjs.co.uk/blog/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.100.253
    (//)www(.)b92mjs.co.uk 185.220.100.253 –

    – [31/Aug/2020:10:07:00 +0100]
    “GET /knickers/enter-the-void/ HTTP/1.1” 200 79930
    “https: (//)www(.)b92mjs.co.uk/knickers/enter-the-void/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.100.253
    (//)www(.)b92mjs.co.uk 185.220.100.253 –

    – [31/Aug/2020:10:07:02 +0100]
    “GET /knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/ HTTP/1.1” 200 84421 “https: (//)www(.)b92mjs.co.uk/knickers/enter-the-void/its-outa-this-world-or-it-oorta-be/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.100.253
    (//)www(.)b92mjs.co.uk 185.220.100.253 –

    <<<<<<<<<<<<<<<<<< IN YET AGAIN AFTER THAT HUGE STRING.

    – [31/Aug/2020:10:07:03 +0100]
    “GET /b92login/ HTTP/1.1” 200 9570
    “https: (//)www(.)b92mjs.co.uk/b92login/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    185.220.100.253
    (//)www(.)b92mjs.co.uk 51.75.64.187 –

    – [31/Aug/2020:10:07:05 +0100]
    “POST /b92login/ HTTP/1.1” 200 9812
    “https: (//)www(.)b92mjs.co.uk/b92login/”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    51.75.64.187
    pigsoft.net 51.75.64.187 –

    // And yet again the Hackers have been bounced out by “Limit Login Attempts Reloaded”, ..
    // So they start yet again on my parked domain, ..

    – [31/Aug/2020:10:07:06 +0100]
    “GET /wp-login.php HTTP/1.0” 404 69679
    “http: (//)pigsoft.net/wp-login.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    51.75.64.187
    (//)www(.)b92mjs.co.uk 51.75.64.187 –

    – [31/Aug/2020:10:07:08 +0100]
    “GET /index.php HTTP/1.1” 301 – “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    51.75.64.187
    (//)www(.)b92mjs.co.uk 51.75.64.187 –

    – [31/Aug/2020:10:07:10 +0100]
    “GET /index.php HTTP/1.1” 301 – “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36”
    51.75.64.187
    (//)www(.)b92mjs.co.uk 51.75.64.187 –

    – [31/Aug/2020:10:07:11 +0100]
    “GET /index.php HTTP/1.1” 301 – “http: (//)www(.)b92mjs.co.uk/index.php”
    “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36” 51.75.64.187
    (//)www(.)b92mjs.co.uk 114.119.165.74 –

    And so it goes on and on and on, ..
    Even even doing all that housekeeping on the internal pages, they’re still getting at my secret login link page, but by now hitting submit button buried deep inside my site.

    Not cure as such briannie, but a start in finding out what’s going on with this hacking.

    Stay safe.

    sharams

    (@sharams)

    Hey
    Here’s the thing with plugins like this, don’t get me wrong they work up to a point and developers work hard doing this for free but:
    When you change your WP admin URL using plugins 2 things still happen:
    1- Front end users that are logged in, when hovering the cursor over the logout link they are able to see you new secret admin URL.
    2- Most other plugins that require users to log in to use their features such as reviews or advertising plugins and when users click on login the plugin still takes them to your secret admin URL and the hover thing still shows your admin URL.
    This plugin has the same issues as well that has not been resolved yet!
    So this is how they got to your site…I suggest to use free version of Wordfence and admin recaptcha to protect yourself.

    briannie

    (@briannie)

    @sharams You make a very good point. I’d not noticed that before but you miss the point that the already logged in person would know about the secret admin page anyway in order to login. Also I happen to be the only user for one of my websites and a hacker managed to find a way in to the login page although couldn’t break my computer generated password.

    I think there is something else here that’s going on but have no idea what.

    • This reply was modified 3 months ago by briannie.
    MrsJessicaSimpson

    (@mrsjessicasimpson)

    sharams (@sharams)

    Yup, I’ve got all that stuff installed, and yes: users can still see and use the (hidden) login string no worries, but it’s the constant automatic Bots that come a knocking that worries me: they simply walk right in with that Firefox resolver string, but only after attempting to knock over the servers first.

    I honestly don’t think that they can be stopped from constantly logging in, only to have their IP address being banned for 24 hours, but it seems that they have more IPs to hand that I can handle, my PHP IP banned log is huge, but that banned log doesn’t extend to the Apache server itself.

    Dunno’ what to do next?

    ——————————————-

    briannie (@briannie)

    The rapidity of the logins, and then being kicked out: indicates to me that it’s not people doing it, (which I could handle), but it’s scripted Bots instead that are responsible.

    It’s a worry, but I feel confident that my 32 character length password string will permanently keep them out, god help me if I ever loose it though: cos I can’t remember it.

    Stay safe.

    mdsouza

    (@mdsouza)

    I go one step futher and purchase Wordfence it will be the best $99.00yr you can spend for site protection. Its not going to stop the bots from making attempts but it will block them as well as allowing for country level blocks.

    I suggest to use free version of Wordfence and admin recaptcha to protect yourself.

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.