Wordpress getting hit hard - secure yourselves!

Benet

I've also found Wordfence Security useful for dealing with Wordpress nasties. Been using it since I got hacked last year, and love it.

It scans for known malware and trojans etc, and scans for changed files and files that don't match the originals, and can also limit the login attempts like the above plugins.

http://wordpress.org/extend/plugins/wordfence/

kwikbreaks

That one looks like it could be pretty resource hungry to me.

Benet

kwikbreaks wrote: »

That one looks like it could be pretty resource hungry to me.

Not as much as you might think. Their servers do most of the heavy lifting, I haven't seen a massive increase in resource usage when using it.

kwikbreaks

Repeat attack...

8 failed login attempts (2 lockout(s)) from IP: 66.85.172.250

Last user attempted: admin

IP was blocked for 24 hours

I've blocked this IP now in my .htaccess for that site.

garyk1968

Yep as said above proxies will normally overcome the IP login limit.

Of course the other thing you should do is rename your admin login!

kwikbreaks

Having read about this attack it seems it's a botnet so will have umpteen IPs without bothering with a proxy. One of the IPs I've seen had been reported as a spam source too so it's probably an infected home computer.

fenlander_uk

I've been getting a constant trickle of login attempts on my two Wordpress sites over the last week or so. All have attempted to login as admin and none seem to have persevered for very long. Fortunately one of my service providers (not one with which I have a Wordpress site as it happens) warned me in good time. As well as changing the admin login name, beefing up the password and installing 'Limit login attempts' or similar, you might also find a captcha useful on login. There are some versions of captcha that don't involve deciphering distorted letters. Just make it difficult for the botnets and they'll probably go elsewhere.

Hoseman

Does wordfence mess about with your settings much or conflict with other plugins? I havent looked at security for a while on mine but when I did I came across one called Bulletproof but I read some negative comments re conflict/issues which put me off.

I need to find a good free backup solution too. I came across one but I haven't followed it up. I'm partially backing it up but need to find an all round solution so need to prioritise.

kwikbreaks

I've used several backup plugins over the years. Currently I'm using Updraftplus backing up to DropBox. This isn't perfect as setting the precise time for the backup is a none-too-cheap paid option but the last one I had doing this stopped working for some reason or other. I got around paying by kicking off backups for each site during a spell of insomnia - they seem to run fairly close to a 24hr schedule.

Benet

Hoseman wrote: »

Does wordfence mess about with your settings much or conflict with other plugins? I havent looked at security for a while on mine but when I did I came across one called Bulletproof but I read some negative comments re conflict/issues which put me off.

I need to find a good free backup solution too. I came across one but I haven't followed it up. I'm partially backing it up but need to find an all round solution so need to prioritise.

Not that I've noticed, it seems to play nice with all the other plugins I have installed accross multiple instances of Wordpress on various sites. It actually seems to do quite a nice job of keeping plugins as they should be, as it compares your local version with the version uploaded to wp.org and notifies you of anything that has changed.

As for messing with settings, nope, again not that I've noticed. Seems to behave itself.

PS. Worth mentioning I have nothing to do with Wordfence despite me singing its praises. Just a fan