Crave: A modern WordPress theme with appetizing aesthetic


Results 1 to 5 of 5

Thread: Reminder of Easy Steps to Avoid WordPress Hackers

  1. #1
    Join Date
    Dec 2007
    Location
    Alexandria, MN USA
    Posts
    6,348

    Default Reminder of Easy Steps to Avoid WordPress Hackers

    We have had a lot of new people join lately who are following the wise advice (from Lisa and others) to use WordPress for a CMS (content management system) and shortcut around learning a lot of code at the beginning. This post is not about anything new, but for those who do not know about this or others who may not have acted on it yet to take the elementary steps to block hackers from getting into your site.

    I just got a notice from a program I have installed which is what motivated me to make this post. This is what it said:

    16 failed login attempts (4 lockout(s)) from IP: 31.221.71.132

    Last user attempted: admin

    IP was blocked for 24 hours

    You will notice two things here. First, the login attempts that were blocked tried to get in by using the old WordPress administrator default, "admin" and then guess at passwords.

    The first step a person should take is to get rid of the default "admin" administrator if it is being used. It is very easy. Just set up a new user name and give it administrator privileges. Once you are sure it is working OK, delete the "admin" user. Most hackers will likely be using it and will automatically be rejected. In my case, even if they had guess my password (and robots can try a lot of combinations) their attempt would not have worked.

    The second step which I recommend is to install the free plugin I use, "Limit Login Attempts." You can adjust the settings, but if you look at the report I received you will see that any ISP that tries four times to log in with the wrong combination of username and password will be blocked for 24 hours. Amazingly, I think, the report here shows that this ISP has been blocked four times for 24 hours. They do not give up easily!

    These are extremely important steps to take with a new WordPress site and only take a couple minutes to do. I thank everyone here who has written about them before, especially Lisa who has made a strong point of changing the user name in some of her posts.

    I have a site where I am collecting my most important ideas for successful work online, mostly as reminders and mini-tutorials for how to do things so I can get to the information when I need it (especially for things like this that I do not do often but do not want to forget). I am thinking that I am going to write this up and add it to my collection. I never want to neglect it, especially as I think of what I might be going through right now if the hacking identifed in this report had succeeded in accessing my site.
    Good Success!

    Website: Success With Money
    "People will forget what you said, people will forget what you did, but people will never forget how you made them feel." —Maya Angelou

  2. #2
    Join Date
    Sep 2012
    Location
    Ilkeston, Derbyshire, England
    Posts
    1,548

    Default

    There is also a free plugin called Better WP Security which hides the WordPress theme you're using. So when you right click and choose "View Source" on your website you will not be able to see which theme is used. Whenever I look at a WordPress site, the first thing I do is check to see if the webmaster has hidden their theme name. Nine times out of ten they haven't done this.
    Last edited by Darren; 01-10-2014 at 07:17 PM.

  3. #3
    Join Date
    Apr 2007
    Posts
    14,835

    Default

    Great, great tips James and Darren!! I have heard nothing but good things about Better WP Security in the last year or so.

    Yes, as James mentioned.... don't forget to add a "Nickname" to your profile (under the profile settings in WordPress). That way it will show your nickname in the comments instead of the actual username you use to login to WordPress.

  4. #4
    Join Date
    Apr 2009
    Location
    New Brunswick, Canada
    Posts
    339

    Default

    Good tips, indeed! I was using Login Lockdown, but after hearing about Better WP Security, I quickly downloaded and installed it.
    James M. Fisher, Microsoft Windows MVP

  5. #5
    Join Date
    Jan 2009
    Posts
    85

    Default

    In the past I used to block wp-login.php via htaccess (as well as wp-register.php) and login directly to the direct URL to the admin panel.

    I also removed the link to the admin login link from the theme as well as renamed my default admin login URL from /wp-admin/ to something else.

    Blocking wp-login.php in htaccess should still let you login, it did for me at least.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •