Hundreds of Wordpress Websites hit by hackers

Regarding a recent post of one of the local blogs on hundreds of wordpress blogs been targeted by hackers. See link below.

http://mybroadband.co.za/news/security/80137-south-african-websites-hit-by-hackers.html

Any suggestions for improvements to make sure we not one of them? We been fighting with some foreign visits,(visits that don't seems real) one case is multiple IP's from the same country that cost me like 5G of traffic in 12 hours. I immediately installed a plugin to block the user based on his location based on his IP address but it seems like they have a way to "jam" the plugin to force the site to go down.

Apart from everything above, is there any suggestions to improve the security of your site?

  • Alexander

    Hi @Ezra

    Sorry, to hear about that happening to your site! That sort of thing has been happening quite a bit lately. Really all that matters is that you stop being the low hanging fruit. Simply changing your username from "admin" to something else goes a LONG way.

    You've already got a security plugin installed, and that would have been my second recommendation. But here's one I like particularly for anyone else reading this: http://wordpress.org/extend/plugins/wordfence/

    With your case of the excessive traffic, IP blocking is your best option.

    We did a blog post when the attacks started happening, and there's a bit of discussion in the comments with useful information you might want to look at.

    https://premium.wpmudev.org/blog/security-alert-for-wordpress-users/

  • p3ctech

    Did you ever try the plugin "Better WP Security"? It offers a checklist of security items to go through to harden your websites. One of them is definitely changing the admin username to something else, also changing table prefix, the userid number field, locking your htaccess files, and more. Better WP Security will go through and do some basic things for you, and you can choose to do more. including auto-blacklisting based on failed login attempts and IP blocking automagically.
    Let me know if you try it and what works out for you. Would appreciate any follow-up here to see if there are other practices we can improve on.

    P3C Technologies
    http://p3ctech.com

  • Ez

    Hi there.
    For starters, I’m not a expert in Wordpress but this is how I handle my traffic and successfully reduced bandwith with up to 6 – 8 times. I simply concentrate on LOCAL Traffic and Google rankings. Why do I want traffic from “China” if my products is based in “Africa”, taking note of google crawlers that is mostly from North America and also make use of local servers in your country.

    1) I'm having issues with caching plugin - especially on multisite. Make sure you backup your stuff, cause it install files in other directories and seem to make changes in your .htaccess file. - Can cause major issues with your site if you don’t know what you doing.

    2) Get rid of "WordFence" plugin if you using it on multiple sites. It's a fantastic plugin, but it seems to drain the server of RAM and slow everything down if used on multiple sites.

    3) Install AVH plugin - here some settings.
    YES - General "use comment nonce"
    YES - Stop Forum Spam
    YES - Project Honey Pot (Set everything to "Harvester & Comment Spammer")
    DONT USE Spamhaus - Blocking far too much traffic.
    IP Caching not recommended - can use your raw access files for this.
    Can even make use of the additional products directly from “Project Honey Pot” that is free and harvest IP’s from users who crawl your domains to harvest emails.

    4) Ip blocking by country plugin is a major issue. It might work for a while but with time start giving issues – Personally not recommended.

    5) If you a reseller and have multiple sites - IP Blacklisting plugin - contact the developer and buy the SERVER edition that synchronize IP's, blocked users and failed login attempts with multiple sites for $50. Can even control the comments for multiple sites from one installation. Guy is very helpful and you can contact him on ad33l@live.com. They also have a database of spammers that synchronize with all your sites from one installation. Just Love the plugin - One place I login and I can updated multiple sites from one place. Saves me lots of time and the guys is extremely helpful and its very cheap.

    6) Major features you need for these kinds of spammers is a) block by IP b) block certain users c) block known comment spammers c) block people who try to login to your site with multiple attempts. (I get them 5000 attempts in a period of 15min - try user names “administrator”, “admin” or a combination of your domains name with "common passwords used by people". “IP blacklist” plugin + the server addition have a very nice and easy way to handle this, plus if you buy the server addition it synchronize the data with your other sites in minutes, saving you time and traffic.

    7) You can use your standard “webstats” report for a domain that normally list your top IP’s – Do a simple IP search and determine if the IP’s is valid. If not, then block them – again if you using IP Blacklist, it’s really easy. (Just look out of traffic by country and crawlers like google or MSN – don’t want to block them. Think they will be mostly from North America). I use free sites like:
    ipligence.com/iplocation

    8) HARVESTING IP’S a) Import your raw webstats into a Excel worksheet and use the “Text to columns” options to sort it. – Excel 2010 and up works the best. b) Use the “Filter” option and group the ones that indicate “robot” in it. (these ones wont normally appear on your webstats (point 7 above) because they seen as crawlers – but they not always crawlers. TIP: Look at your webstats and see the bandwidth breakdown. Normally the crawlers is indicated by “other”. If it’s out-of-line, then you know where to start C) Then group them Z-A (range) and do a simple IP lookup for the IP’s who appears the most in your list to see where they from. (If you know Microsoft Access or a bit of coding, then this is very easy to handle – otherwise just group them together and simply scroll down in Excel in see what IP’s is appearing the most)

    I also like free tools like the link below to simply copy text (for example from your stats report), simply paste it in the site and it will extract all the IP’s for you – also a easy way to get rid of duplicate IP’s
    toolsvoid.com/extract-ip-addresses

    Hope this help.

  • joan_donogh

    Hi Ezra, thank you very much for taking the time to provide such a detailed response.

    I am having issues with the caching plugin also.- yes it does write information to the .htaccess file. So far I have only installed it on 2 of my own sites, and one (a multisite) it broke.

    I have installed the AVH plugin and IP Blacklist plugin that you recommended, and got the server edition.

    I do already use the Limit Login Attempts plugin (since the last attack on Wordpress login pages - but currently it does not seem to be helping. I guess for whatever reason the "attackers" are not always trying to log in.

    Once I get this all in place, I will go back to your suggestions about extracting the IP addresses. Your tips there will be very helpful also.

  • Ez

    Hi there. I recommend you get rid of the "Limit Login Attempts" plugin - don't think its good to run two plugins that does the same job. IP Blacklist works the best.

    My current settings that I use:
    -Set login attempts at 3
    -Time 15

    You will see that every time you login to your site that a list of failed attempts will be displayed. Just click on the link next to it to blacklist it that will synchronize with your server and then with the other sites. What I love about this plugin is that is shows you the IP, user name and password - You will notice that bulk of them will be either user names: admin, administrator or a combination of your domain name - simply just blacklist them.

    Also remember to update your IP Blacklist Server from the IPFind.me site - using the options on the server panel.

    caching plugin - had the same issue. You will have the replace your .htaccess file, remove the plugin and also a file in the wp-admin folder (if I remember clearly).

    Remember to also go to AVH Plugin stats after a while - will show you how many visitors they blocked.

    I think your main problem is getting the correct IP's that spam your site. Obviously they using some sort of software that "thinks" he manage to post free links in your site - thus he keeps on returning to your site. You will notice that they stop visiting your site after about 2 or 3 attempts permanently.

    Most of these guys spam your site and disguise them as "search engines" and wont appear in your normal stats. They will also not appear in your "login attemps". Use your raw domain stats for this.

    -use the excel method I described above.
    -Use the link below to view the location of your top visitors.
    http://www.ipligence.com/iplocation
    (Don't block the microsoft and google ones from the US)

    Let me know if you need help with it.

    Here my latest list that you can simply import from the "IP Blacklist" settings option.
    http://mysimplewebsite.co.za/IPBlacklistDB.csv

  • Ez

    Hi there.

    Just found another solution to this problem. Some might say its not the best option, but it really works for me now.

    Simply rename your wordpress login url, for example: /wp-admin to something else.

    1. Adding something to your .htaccess file.

    so, after

    RewriteBase /

    add a new rule

    RewriteBase /
    RewriteRule ^xlogin$ wp-login.php

    2. Make a backup copy of your wp-login.php file in case something goes wrong.

    3. Rename your original wp-login.php file to xlogin.php

    4. Open the new xlogin.php file - use notepad to either find or replace all the entries of "wp-login" to "xlogin".

    To login in the future, don't use the extension "/wp-admin", but "/xlogin.php". Should work with all themes and plugins. If not, then you can also add the following code to your current themes functions.php file (right at the bottom i guess).

    add_filter('site_url', 'wplogin_filter', 10, 3);
    function wplogin_filter( $url, $path, $orig_scheme )
    {
    $old = array( "/(wp-login\.php)/");
    $new = array( "xlogin");
    return preg_replace( $old, $new, $url, 1);
    }

    Hackers wont fine the wp-login.php file and simply leave you alone. This spared me loads of bandwith to date.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.