Wordpress Themes - WP Forum at BFA
There will be no more development for Atahualpa (or any other theme), and no support. Also no new registrations. I turned off the donation system. I may turn the forum to read only if it gets abused for spam. Unfortunately I have no time for the forum or the themes. Thanks a lot to the people who helped in all these years, especially Larry and of course: Paul. Take care and stay healthy -- Flynn, Atahualpa developer, Sep 2021

Wordpress Themes - WP Forum at BFA » Running WordPress » Web Hosting for WordPress »

Repeated hack attempts on my site


  #1  
Old Dec 20, 2013, 06:38 AM
paulae's Avatar
paulae
 
1,333 posts · Feb 2009
Wordpress 3.4.1, Atahualpa 3.7.7
This is just an FYI for everybody here.

Last night, I received 9 emails from the Wordfence security plugin on one of my sites. The most important of my sites, in fact. I'll paste it here, with the site name redacted:

This alert was generated by Wordfence on "XXXXXXXXXX" at Thursday 19th of December 2013 at 09:16:38 PM

A user with IP address 112.199.116.75 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'root' to try to sign in.
User IP: 112.199.116.75
User hostname: 75.116.199.112.clbrz.inet.eastern-tele.com


I never use "admin" or "root" as my admin name when installing Wordpress. I have several types of security plugins installed. But this kind of hack attempt is still scary. And I didn't feel warm and fuzzy after contacting Bluehost about it. I emailed them just to alert them that my site was under attack, and I thought they might want to know, since I'm sure mine is not the only Wordpress site hosted there that's being hit right now. I got back a boilerplate "here's what to do if your site has been hacked" email. Obviously, no human ever read my email.

So, this post is just a warning: never use "admin" or "root" or some other generic word as your admin username, have a strong password, and use security plugins. There are other Wordpress hardening methods discussed at wordpress.org and on many Wordpress-oriented websites. Be safe out there!
  #2  
Old Dec 20, 2013, 07:55 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
Actually it doesn't matter what name you use, there is a way to find all the user ID's

I've actually taken to banning entire countries in my htaccess file.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #3  
Old Dec 20, 2013, 08:18 PM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
@stb: it doesn't matter what user name you use. If you want me to prove it. point me at one of your sites and I'll tell you the userid.

This shocked me too when I saw in m log someone tring to login with an id that no one, I mean no one but I knew what it was, but...there is a way to determine what it is.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #4  
Old Dec 21, 2013, 04:00 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
BTW - my current security method is to rename 'wp-login.php' to another name.

IMPORTANT if you do this, you must edit the file and do a global rename of 'wp-login.php' to the new name you chose and you must do this after each WP update

I even have a htaccess rule to send anyone using wp-login.php to another page telling them it's not nice to try and hack.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #5  
Old Dec 21, 2013, 05:56 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
If they don't know the name of the login file, they can't try a brute force attack. And sorry, but if you think the bots aren't set up to discover your id you have your head in the sand.

And I discovered this because I was being hacked and I am providing a possible solution. So should I keep this solution private, is that what you are saying?

Discussing a security hole that is already being used by the bots is not a bad idea (IMHO) and telling people to rename wp-login.php makes it much more difficult for a hacker to get in because they have no idea what the login php file is, but you will.

I will admit that this doesn't help sites that allow users to login, but I don't - the only ones that can login to our site are authorized.

If you check your access logs on your server I'm willing to bet you are being targeted.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
  #6  
Old Dec 21, 2013, 06:18 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
to give anyone who is interested some more information, here is what happens

someone trys to use wp-login.php. The code in .htaccess sends them to the first html file (it can have any name) which redirects them to a second html file after a set period (the '8' seconds). The second html file tells them to stop hacking.

1) rename wp-login.php to 'xxxxxxx.php' (where xxxxxxx is some text string you pick)
2) Edit the file (use a TEXT editor) and change all occurrences of the string 'wp-login.php' to the new name. You must do this or logins will fail!
3) add a line in your .htaccess file
HTML Code:
RedirectMatch 301 ^/wp-login\.php$  http://yourdomain.com/wp-content/badbot-403.html
4) create a file 'badbot-403.html with the following
HTML Code:
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>
    </title>
    <meta http-equiv="refresh" content="8;url=http://yourdomain.com/wp-content/badbot-warn.html" />
  </head>
  <body>
  </body>
</html>
the reason for this is the '8' it delays 8 seconds before transfering to the next page - delaying a bot a little (every little bit helps) but not messing it up for any of my users that forget and use the wrong login file name
5) create another file 'badbot-warn.html' with
HTML Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<title>Please stop hacking</title>
</head>
<body>
<br /><br /><br /><br /><br /><br /><br />
<br /><br /><br /><br /><br /><br /><br />
<div style="text-align: center;">
<span style="color: #000000; font-size: 24px;">Invalid Login Attempt
</span></div>
<br /><br /><br /><br />
<div style="text-align: center;">
<span style="color: #ff0000; font-size: 34px;">Your computer has attempted to login to this site.<br />Please stop hacking.</span></div>
</html>
Now you have to use the name of what you changed wp-login.php to - for example:
If you changed 'wp-login.php' to 'ha-try-and-find-this.php' you would use 'yourdomain.com/ha-try-and-find-this.php' - you can not use 'your domain.com/wp-admin' because that calls wp-login.php and off to the warning you go.

All this won't stop hacking attempts but it will slow them down a bit.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support

Last edited by juggledad; Dec 24, 2013 at 07:00 AM.
  #7  
Old Dec 21, 2013, 06:53 AM
juggledad's Avatar
juggledad
 
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
@STB: I humbly disagree with you. It is now a known issue that userid''s can be discovered. It doesn't matter what you use as an admin id IT CAN BE DISCOVERED - so telling people not to use 'admin' really doesn't matter

period , end of story!! nothing more , nothing less

capice?

p.s. if you want to reply to a PM do so in a PM not in a thread
this topic is closed.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support

Bookmarks

Tags
admin username, hack attempt, wordfence



Similar Threads
Thread Thread Starter Forum Replies Last Post
Lots of repeated code on this page Marge Center area post/pages 1 May 31, 2012 03:31 PM
Hack Attack and FileZilla rickheck New Versions, & Updating 1 May 28, 2012 06:39 PM
Help - Recovering from major hack mandrakeman1965 New Versions, & Updating 8 Aug 22, 2010 07:52 PM
Testing new thread, question about hack paulae Atahualpa 3 Wordpress theme 1 May 18, 2010 02:45 PM
admin-ajax-php hack? CHi106 Atahualpa 3 Wordpress theme 0 May 16, 2009 06:01 PM


All times are GMT -6. The time now is 12:59 PM.


Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.