WP Security

Joined
Oct 2, 2017
Messages
22
Likes
15
Degree
0
#1
I have installed a plugin called Loginizer to limit the number of login attempts on my site.

Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer.

In short, every day there are people trying to login, from all over the world.

I have a long password, plus I keep all my plugins updated. Should I be concerned about security or simply ignore them? Is there anything else I should do?

Thanks for any feedback.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
2,797
Likes
5,086
Degree
6
#3
I did the same as Tao, but with the manual method outlined in that link that @turbin3 had posted here a year or two ago. Been fantastic. I actually got myself on the blacklist last night because my server blipped for a few moments after I loaded the page and refreshed a few times and it wouldn't accept my password. Had to get tech support to remove my IP from the list. It works good!

I had a site, back when Page Rank was still a huge thing for people, using it as a metric on who to target. It was PR 6, and like you said, it was non-stop attempts to login to the point where it started becoming a DDOS attack.

It's not a big ordeal to set this up at all, especially if you use cPanel. That link has a UI method of getting it done. The manual method isn't bad either. I would definitely do this on any project you care about.
 

Rageix

BuSo Pro
Joined
Jan 11, 2017
Messages
89
Likes
98
Degree
0
#4
There are a number of things you can do but the simplest is you should lock down the login and wp-admin sections to your IP or maybe the IP of something like a VPN with a static IP.

The easiest way to do this would to use put it in a .htaccess file:

Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
Replace 123\.123\.123\.123 with your own IP.
 

turbin3

BuSo Pro
Digital Strategist
Joined
Oct 9, 2014
Messages
567
Likes
1,103
Degree
2
#5
Here's the post Ryuzaki mentioned, as far as IP restricting WP login/admin or other URLs.

Awhile back I came up with this great idea for obfuscating Wordpress footprints. At least I thought it was cool, but then I am weird. It's purely theoretical. I may even be missing some important things, and it might never work, so take my words with a grain.

The idea is, a program that would rewrite site structure such that NOTHING is located where it would be expected. Security by obscurity is not sufficient. Though, the idea would be bypassing most low barrier to entry script kiddies. One major issue would be ensuring paths inside files, and functions calling paths, are rewritten so your WP instance will function.

Take all of these wp-content, wp-includes, wp-admin, etc. directories and core files for example. Imagine a massive grep + sed (or whatever) find/replace from standard url -> new url. No redirects, because you don't want any indicator that it's a WP site. Just entirely different site structure.

Take it a step further and have the find/replace generate crazy hashes for the URLs, like:

example.com/sYHesq54/sr4ty5/style.css (replacing wp-content or other core subdirectory)

See what I'm getting at? That's the problem with WP, is so many obvious attack vectors (vulnerable plugin/theme directories with known names, obvious core file paths, etc.). The barrier to entry is so low, you can just fire up a script with the latest, greatest list of tens of thousands of known filepaths until you strike gold.

At the least, maybe it could give more people a bit of breathing room from the non-stop attacks. Blend in with the crowd. Unfortunately, I never took the time to try and build it.
 
Joined
Oct 2, 2017
Messages
22
Likes
15
Degree
0
#6
I got so annoyed with this continuous attempts to access the WP login that I added a password to protect the wp-admin folder and wp-login.php file:

http://www.wpbeginner.com/wp-tutori...tect-your-wordpress-admin-wp-admin-directory/

You have to be careful though as this can stop some plugins/themes from working, depending on how they are coded.
Thank you BuSo for all the alternative methods to solve this problem. I had searched before for answers in the forum and didn't find the previous thread. I ended up following the method above, which seemed simpler for my (low) technical skills.

I am still leaving the Loginizer plugin for a few days to monitor login attempts. Apparently, it is all solved now. I even managed to lock myself out of my own site for 60 minutes :confused:

Have a profitable week.
 
Joined
Dec 17, 2015
Messages
121
Likes
67
Degree
0
#7
I mainly just use the Wordfence plugin, though I'm in no way an expert in security. Is that enough for most sites? You can also change your /wp-admin to something else to throw them off.
 
Joined
Oct 2, 2017
Messages
22
Likes
15
Degree
0
#9
I must have done something wrong because someone was still trying to access my site.

There are a number of things you can do but the simplest is you should lock down the login and wp-admin sections to your IP or maybe the IP of something like a VPN with a static IP.

The easiest way to do this would to use put it in a .htaccess file:

Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
Replace 123\.123\.123\.123 with your own IP.
I reverted all changes I did this morning and I did this one instead. It is only one file to edit and keep track of, so it is even simpler.

I just wish I get this site to a profit ASAP, and then have peace of mind to have my mind free and learn this kind of technical thing properly. Ignorance is no bliss, just a pain.

Thanks once again to all.
 

Ryuzaki

女性以上のお金
Staff member
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
2,797
Likes
5,086
Degree
6
#10
I must have done something wrong because someone was still trying to access my site.
If you were getting the "enter username and password" pop-up when trying to login then it was working. You may still capture IP addresses of bots and people trying and report them to you, but they won't get past that part. Your server probably has a firewall that'll place a temporary block on the IP's trying too after 5 failed tries or whatever.

But this is only blocking logins. It's not going to stop MySQL injections from crappy plugin vulnerabilities or XSS on un-sanitized forms, etc.

I reverted all changes I did this morning and I did this one instead. It is only one file to edit and keep track of, so it is even simpler.
Here's a heads up for you. Keep the FTP information accessible, because you may be on vacation or at a friend's or restaurant and notice an issue that needs immediate attention. You'll need to FTP in to remove the restriction if you want to log into the backend. Also remember that if you hire people, you'll need to add their IP's to the whitelist, and also that most people don't have static IP's so you'll be updating it regularly to make sure your workers always have access.
 
Joined
Apr 5, 2017
Messages
126
Likes
83
Degree
0
#11
Joined
Aug 16, 2017
Messages
38
Likes
22
Degree
0
#12
So... one of my wordpress sites has been hacked and now has a bunch of clone type pages with contextual type description links in.. Oddly these contain links to my site only on most pages and one page has 6 other site links..

I cant find the pages in the backend but i can find them while using the link tool in page editing.

Whats typical is this site is the only one that i didn't do any security basics on and haven't really edited much for a good 8 months or more and (i didn't back it up - YES school boy error)
I broke every basic rule on this site and now I'm going to pay for it in wasted time i should be using to boost its rankings and income.

Fortunately this has not impacted the ranks rather than boost them if anything and revenue is up to and has been for months.

Any tips or ideas on how to find these pages.

(I'm ready for the onset of noober abuse too haha!) :confused:
 
Joined
Dec 26, 2015
Messages
25
Likes
31
Degree
0
#13
Sometimes the pages are pure html in a folder called _ or similar, so it looks like it´s from within WP, all though it´s actually just pure html.
 
Joined
Aug 16, 2017
Messages
38
Likes
22
Degree
0
#14
I've hunted through the server, through the site even searched the page titles/urls in the database and cant find anything.

So i installed BULK Delete plugin, entered each url manually and then refreshed and the pages disappeared , i got 404 as expected. Thought that had done it, so i 301 redirected the pages/posts to relevant pages as bizarrely they've built backlinks to those pages and they're ranking for those terms. Not great links, but passable and low competition. pos: 1,2,3,4 for a bunch of terms.

All seemed good.

I just went back to continue my initial task of interlinking and the pages are once again showing up in the link pages list.?? They had gone initially.
 

CCarter

If they cease to believe in u, do u even exist?
Staff member
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
1,966
Likes
4,366
Degree
5
#15
@shiftymcnab - You have a Wordpress trojan/rootkit on your server. It replicates itself within multiple folders naming itself inconspicuously different nonchalant filenames. If you get rid of 999 out of 1000, you didn't get that last 1, and that last one will simply replicate itself again.

I've seen this type of trojan multiple times from Wordpress installs. You need a specialist to go in and delete all the bad files and preferrably install a fresh wordpress and move your data for you.

It can be done manually, but you have to use linux commands to find the files that were the most recent edits - usually all down to the same nano-second. Even then it's not enough (Discussion about this here and here).

Deleting the posts without deleting the trojan/rootkit will not do anything -as you saw for yourself. @SmokeTree is there person I would hit up for this. He's a linux wizard.
 
Joined
Aug 16, 2017
Messages
38
Likes
22
Degree
0
#16
Wordpress trojan/rootkit on your server. It replicates itself within multiple folders naming itself inconspicuously different nonchalant filenames
That was my worry.. Thank you, its clear now. I will contact @SmokeTree .

Let this be a lesson to all you builders out there.. Do your security FIRST and keep your site upto date.

I'm really annoyed at myself as I always take security seriously and harp on about it all the time...
 
Joined
Dec 26, 2015
Messages
25
Likes
31
Degree
0
#17
With wp you can backup db, backup wp-content and wp-config, then delete everything. You should never have to mess with core files, so you can always delete and reinstall them.

Clean up wp-content offline, scanning it for typical code such as redirects or eval. You can do that with a bash script, there's some on github probably already. Usually the code is very easy to find.

Make sure there are no php files where they shouldn't be. Delete any php file, or non img files, in WP-uploads, they shouldn't be there.

Ideally, delete all plugins and install from source again if you have them, delete the theme and keep your child theme, and compare the code with what you know. You can delete plugins and install, they stay contained to their folder.

Usually with child theme there's just a few files you've modified, so it will be easy to see.

Search for the plugins names to see if there are known vulnerabilities. Same with themes. Don't install these again. Sometimes plugins aren't well maintained, or they depend on libraries that are vulnerable.

Check DB for anything suspicious, usually I haven't seen anything in the db on hacked sites.

Clean up your hosting/VPS, change PW, db pw etc.

If you have many wp sites under the same user (they share the web root, i.e. shared hosting), it can be pretty bad, you may have to go through all sites.

Then install a new WP core, copy over WP-content and wp-config.php.

** Some tips once it's cleaned up: **
With wp make sure files have the right permissions, run each site under a new user with just enough privileges to run WP. Don't install nulled themes or plugins, don't install plugins from all kinds of sources. As few as possible. Popular ones such as yoast are probably fine as they are well maintained, but not some 3 year old funny plugin to ftp or modify db you found on Google. Don't allow root login via PW, turn off WP xml rpc. Remove plugin footprints from source code.
 
Joined
Aug 16, 2017
Messages
38
Likes
22
Degree
0
#18
** Some tips once it's cleaned up: **
With wp make sure files have the right permissions, run each site under a new user with just enough privileges to run WP. Don't install nulled themes or plugins, don't install plugins from all kinds of sources. As few as possible. Popular ones such as yoast are probably fine as they are well maintained, but not some 3 year old funny plugin to ftp or modify db you found on Google. Don't allow root login via PW, turn off WP xml rpc. Remove plugin footprints from source code.
I usually do all the basics and some. htaccess, admin locations, file permissions, headers, hide WP verison, xml rpc, database table prefix, user access, disable pretty much everything. firewall, cdn, ssl.. yada yada. lol

This one i was for some reason in a rush and just default install, slap some plugins in and loaded it up.

Well, I'm pleased to say i fixed it. It was some random (doubt i installed it as id only ever really use yoast) premium seo plugin. Disabled, deleted. cleared clone pages via bulk delete. All clean and no references left to the pages and no more duplication.

Premium SEO plugin - Version 5.5 | By Web SEO Services - no other info i can get from it.
 

SmokeTree

Developer/Linux Consultant
BuSo Pro
Digital Strategist
Joined
Sep 23, 2014
Messages
186
Likes
303
Degree
1
#19
@shiftymcnab Glad to hear you've fixed it :smile: I was just writing a response to both the thread here and your message. Appreciate the props from @CCarter. My focus is mainly on Software Development and custom Linux configs and I don't normally take on WordPress work these days other than maybe configuring a server from scratch. Definitely keep me in mind if you have one or more servers you need to have configured/updated or if you need custom software beyond just a simple script (SaaS, Scrapers, Monitoring Systems, etc).