Automated Wordpress login hackers

wordpress
#1

A recent blog article about up to 90,000 ip addresses being used to try to hack wordpress sites is here

superbot net

I’ve been seeing and average of 90 login attempts per day for each of my sites. I’ve sure you all have been seeing similar if your looking.

Two options to solve this: 1) Only allow access to wp-login from a specific Ip address or addresses, or 2) Take appropriate precautions of NEVER using an admin account, or any variant of the word admin, and pick a strong password.

look through the 2000+ passwords guessed in the last 20 days by wordpress trolls here:

wordpress troll watcher

and if your passwords look like any of these, change it to a more difficult to guess one!

to eliminate all but approved ip addresses, put this in .htaccess:

Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.xxx ErrorDocument 403 ""

where you replace xxx.xxx.xxx.xxx with your ip address and add an allow for each additional ip address you want to allow

#2

FWIW, we’ve added firewall rules to slow down people even getting to your sites. (Which is also the answer to the ‘Where has Mika been lately?’ question).

You can also add this to your .htaccess (above the WP calls) to prevent some of the damage:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>
#3

Thanks for this. Can you please advise - I have very secure passwords but have been using the admin defaults for years, didn’t realize it was an option. Now, however, when I go to change the account, it tells me I cannot change account names. IF I create a new named/admin account under a new name with full privileges, can I delete the old?
Thanks,
Susana

#4

datsun - Yes.

Make your new admin account, set it adminstratior, log out as admin and log in as new you. Then delete the admin account.

BE CAREFUL! You will be asked what do to with the existing posts - MAKE SURE you assign them to your new user.

Here’s a visual: http://www.digitalkonline.com/blog/change-your-wordpress-admin-username/ :slight_smile:

You can also use one of these plugins:


#5

Excellent. Will do, thanks!
s.