there In the last 2 months we had a lot of brute force

Hi there

In the last 2 months we had a lot of brute force attacks using different usernames
What is more problematic is that 3 weeks ago i changed the Admin username, and 1 week later they start hammering new username as well. also the bruteforce is a clever one as they using multiple IP's to try passwords they try probably 30 to 60 an hour of different users.

What have i done:

i had used .htaccess to block access to wp-admin folder adn allowed only from one IP
also integrated CAPTCHA on Admin login so robots can not try to log in the thing is wordpress must have may ways an admin can log in as wp_admin is not accesible i sill get from sucuri plugin logs of failed logins.

we using the website for advertising only no bloging or super hi tech stuff. what else is to block or disable to stop this attacks from happening?

any help appreciated.

  • Sajid

    Hi @Isaia

    Hope you are doing good today :slight_smile:

    You can not stop bot attacks. What you can do is prevent your site from brutal force attack.

    Secure your site with a plugin like iThemes Security, use secure passwords not only for admin users but for all other users and also make sure you are using secure and strong password for your database connection.

    Finally keep your WordPress and plugins/themes up to date.

    Take care and have a nice day :slight_smile:

    Cheers, Sajid

  • Isaia

    so in other words you are saying that there is no way to stop robots from trying to log in as admin in wordpress?

    It is a first for me, but from technical point of view i consider it the biggest mistake of wordpress development, to not be able to secure and block logins to a wordpress website or limit access to specific IP addresses.

    I would almost say that wordpress was built as a time bomb of mass control if the end user can not or does not have the possibility to lock it down.

    Trojan horse it is called i think.

    i guess i'll have to change my platform of development from this Crap :slight_smile:

  • Sajid

    Hi @Isaia

    Hope you are doing good today :slight_smile:

    I mean hackers will keep trying to access your site to hack. So you can not stop them to do nasty activities :slight_smile:

    What you can do is protect your self. Protecting with .htaccess is good move and only users with a specific IP can access wp-login.php or wp-admin area. They can access and try to login if you have any login plugin or widget anywhere on your site that have public access.

    Also in ithemes security plugin there is an option to hide WordPress admin and set a specific time usually when you login into WP and make some changes.

    WordPress is secure and its core contributors keep it secure by pushing updates regularly, but being most popular and widely used content management system, its on hitlist of hackers/bots.

    One last thing running your website on SLS will also help you protect your site and ensures maximum security.

    Hope I make myself clear and I apologise for confusion, if I am of any further assistance please don't hesitate to ask.

    Cheers, Sajid

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.