Results 1 to 5 of 5
  1. #1
    -Shay- is offline Public Member
    Join Date
    November 2012
    Posts
    3,062
    Thanks
    12,211
    Thanked 3,135 Times in 1,686 Posts

    Default Latest hack attempts

    I've been paying very close attention to my server's firewall and logs. One of the most common things I'm seeing lately is an attempt to exploit wordpress in this manner.

    The plug in has been patched. Noteworthy is that none of my sites use the plug-in mentioned in the article, so it was not of danger to my site anyway.

    I've also seen an uptick with failed login attempts lately.

    If you've seen any hacking attempts on your site recently, please detail them here.

  2. The Following 5 Users Say Thank You to -Shay- For This Useful Post:

    gbc999 (8 June 2016), JoshM (5 June 2016), Mr Live Casinos (6 June 2016), Roulette Zeitung (5 June 2016), Scampi (4 June 2016)

  3. #2
    Roulette Zeitung is offline Public Member
    Join Date
    July 2012
    Location
    Germany
    Posts
    4,446
    Blog Entries
    5
    Thanks
    6,015
    Thanked 6,688 Times in 2,951 Posts

    Default

    Only 2 minutes time today.
    A nice idea, Shay.

    After I installed "BulletProof Security (BPS Security)" (https://de.wordpress.org/plugins/bulletproof-security/), "All in one Wordpress Security" (https://www.tipsandtricks-hq.com/wor...irewall-plugin) and the plugin to rename the login page (https://wordpress.org/plugins/rename-wp-login/), I never again had any problems.

    Thank Goodness.

    Leopold

  4. The Following 3 Users Say Thank You to Roulette Zeitung For This Useful Post:

    -Shay- (5 June 2016), gbc999 (8 June 2016), Mr Live Casinos (6 June 2016)

  5. #3
    universal4's Avatar
    universal4 is online now Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    28,011
    Thanks
    2,222
    Thanked 7,916 Times in 4,992 Posts

    Default

    I see wordpress attacks on various servers and sites on a nearly daily basis.

    I have found that this largest increase in attacks I am seeing over the last year or so are xml-rpc based brute force attempts.

    (many might want to dispute this next part) Even after you rename your admin login page, it will NOT stop hackers from attempting to find it. If they run a script to try the login, often they will hit the standard default login page a few thousand or more times. Many of the brute force login attempts are only looking for login success, and are completely automated, and will often hit the 404 thousands of times without realizing the page isn't even there.)

    I have recently starting switching over the security plugin I use, moving away from All-In-One_WP-Security and switching over to WPCerber.
    https://wordpress.org/plugins/wp-cerber/
    I felt this plugin did a much better job of locking down xml-rpc on sites where it is not necessary, and I most often set the security to immediately lock out the first attempt on the default wp-login.

    In addition to renaming the login, this plugin also allows for white-listing of ips.

    One really nice feature is that it has an emergency script you can ftp up and run that will disable the plugin completely and allow the administrator to log in the default page if something goes wrong. (obviously you don't want that script sitting there unless you need to use it)

    I have thoroughly tested this plugin on sites that are live with content as well as a few stock sites that are just sitting there waiting for content from the owners, and have been very pleased with the results. You can set the plugin to automatically block the single ip that makes attempts or the entire class c, it can email you any time an ip is blocked.

    Whether using the plugin I mentioned or one of the others recommended by many members here at the GPWA, I encourage anyone running wordpress, as a bare minimum to use one of the plugins to rename the admin login.

    I have proven time and time again, that just simply putting a wordpress install up on a server (whether it is on a domain name OR an ip address) that within a few weeks hackers WILL start trying to brute force the login. This happens on gaming and non-gaming sites.

    Alwats keep in mind that some functions of security plugins may conflict with others, so any time you are using more than one, be careful which functions you enable so that you can reduce conflicts. (follow the practice of always trying to use the least amount of plugins possible to get the job done)

    Rick
    Universal4

    Side note: Although I have not proven the theory, my guess is that installing a stock install of joomla would produce the same results with hackers trying to get in, but since the install base and popularity of wordpress is so great it likely happens faster with higher frequency using wordpress.

  6. The Following 5 Users Say Thank You to universal4 For This Useful Post:

    -Shay- (5 June 2016), gbc999 (8 June 2016), Mr Live Casinos (6 June 2016), suffolkpoker (5 June 2016), vardan (5 June 2016)

  7. #4
    Azureus's Avatar
    Azureus is offline Public Member
    Join Date
    May 2012
    Posts
    97
    Thanks
    6
    Thanked 75 Times in 44 Posts

    Default

    Quote Originally Posted by universal4 View Post
    (many might want to dispute this next part) Even after you rename your admin login page, it will NOT stop hackers from attempting to find it. If they run a script to try the login, often they will hit the standard default login page a few thousand or more times. Many of the brute force login attempts are only looking for login success, and are completely automated, and will often hit the 404 thousands of times without realizing the page isn't even there.)
    Like all of it is automated... Just hacked zombie computers from all over the world, they go through IP addresses from 1.1.1.1 to 255.255.255.255 (not exactly this but I mean they go iteratively) and through domains. With IPs they try stuff like SSH login and similar, with domains they can also try Wordpress login and exploits.

    Plugins are nice but will not protect you 100% and are not useful against D(D)OS. If you are flooded by some idiot, then a plugin will be useless.

    If you want to be very aggresive in this, you can set up a rule that e.g. ten 404 errors or unsuccessful logins will result in a ban of the IP. You just have to make sure you do not have any 404s on your website about which you don't know. You can do this on any server if you manage it and some webhostings also allow you to do it.

  8. The Following User Says Thank You to Azureus For This Useful Post:

    suffolkpoker (3 July 2016)

  9. #5
    universal4's Avatar
    universal4 is online now Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    28,011
    Thanks
    2,222
    Thanked 7,916 Times in 4,992 Posts

    Default

    True, but that is why many of the security plugins are a big help to those who run wordpress since some of them allow immediate ban of the ip or class c upon a # of login attempts, or even a single login attempt.

    If you have moved your login, and you are the only one that has or needs admin access to a wordpress site, there is ZERO logical reason ANY ip needs to hit the admin login page. I often set security plugins for an immediate ban, and depending on the subnet, I may move it to a global block list server wide.

    Agreed that these type plugins can do little for large DDos attacks, but those are different situations than site hack attempts and are far more common than scaled DDos attacks.

    This is also why compromised phone apps and wordpress plugins are becoming more and more dangerous all the time since this allows far more scaling up of both types of attacks.

    Rick
    Universal4

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •