All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Wordpress Security Help!
Hi, recently I saw a person trying to bruteforce login into my Wordpress site but without nay luck. I have already setup Wordfence and blocking his ip range (although He uses a VPN to attack from different locations). I have 2FA and Cloudflare DDOS Protection. Also I turned off XML-RPC authentication because he tried to login with that. Now, he is using Smrush, google bot and Bingbot to crawlto my site. Can someone please guide me that is it enough or what else can I do to make it more secure. Also, is there a way to block those Bots. I am confused that what is he trying to do by crawling when I have password protected my whole site (I did this not because of fearing him but because my site is under development and I do not want any traffic Right Now). The links he visit are strange like mysite/vu5p2/etc.html and also mysite/wp-cron?doing_wp_cron=12345.
Any suggestion will be Appreciated.
Regards.
Comments
Fail2ban. Limit access to admin from ip. If attack is targeted nothing will help except going offline.
Sucuri
Thanks for your Reply! But is Fail2ban not only for SSH? How can I configure it for Wordpress?
Is it your server or are you using shared hosting?
If the site is not public and you dont want any traffic, simple block everything but your own ip or run the webserver on a non-standard port.
Ninja firewall - disable rest api , xml-rpc , php upload in media folder, limit login , captcha login on wp-login
My own DO Ubuntu 18.04 Droplet.
I am currently using Wordfence and uptil now I am satisfied with it as the Logs show. I might try Sucuri as it has a good fan base.
I use Litespeed Ent and for the Long Term I wanted to password-protect my wp-admin page also but I tried to many solutions on Google however it only works for Apache. If you could Help me with that and I have a Dynamic IP so can not use the method you provided.
This https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04 it's old, but still relevant.
@wohel Do you use any kind of firewall on the server level such as CSF? It's better to block at server level than using Wordfence.
You can limit access to wp-admin using .htaccess rules. Add this (change the IP 123.123.123.121) to .htaccess root level. Dynamic IP is fine but you will need to change when the IP address changes. Alternatively setup a VPN and only use that IP to access wp-admin.
Anyone who tries to access wp-login.php or wp-admin will be served a 403 error page.
I only have DO Web Firewall setup.
As far as I can Remember I tried it and it did not work. Anyways Thanks! I will surely check that again if I am lucky.
Hide WP Login Page (change url)
Add Cloudflare and enable DDOS protection (bots )
Tried to Hide it but I don't know why it broke my site so, reverted back.
It does work give it a go. I use it myself on Litespeed, OpenLitespeed and Apache.
have you tired to clear cache of website ?
Yup! I used a plugin to change the address.
Hey Thanks! It works Now.
@LeonDynamic Hi, Sorry for the Late Reply I had just found out that this configuration also shows 403 Error to the IP I added . I also restarted Litespeed. What could be the Reason behind it?
It's usually a best practice for WordPress to lock wp-login.php and /wp-admin behind an ip white list. Apache/(Open)Litespeed you can do this with a htaccess file and for Nginx you can do it in the config file.
@wohel Are you sure the IPv4 address is correct and are you using IPv6, if so add that address as well. The htaccess rule should work out of the box.
I'd let it be, just monitoring, but pretending I know nothing about it. If you have 2FA or strong passwords and properly secured/updated site, you are safe. Let him play this bruteforce-game he can not win. I'd only activate progressive rate-limiting for l/p so it does not cause problems for regular users.
If you start taking active defensive countermeasures (like null-routinig his botnet's IPs on your interface), he might notice it and ddos your site (much easier to do than bruteforce l/p). Then you'd have really big problem...
You are describing the most usual attacks targeting Wordpress. Are you sure this is a single person?
For me, everyday CSF is blocking requests and IPs because of this.
Are you sure this is not legitimate traffic?
Anyway, Wordfence would do a great job. Just be careful with the CPU usage.
Yup! I checked my Public Ipv4 from Google and I do not have Ipv6.
If it is legitimate why would someone try to guess passwords or crawl to my site. But I am not sure if it is a single person but I am sure that it could be 2 people max, as he uses his Nexus Phone or Ubuntu PC, but the IP changes as if he uses a VPN.
When I said legitimate traffic I was talking about semrush, bingbot and Googlebot. You can control these crawlers using robots.txt, you will find an option to throttle them in Wordfence too.
Im trying to say bruteforcing xmlrpc, wp-login, trying to find common patterns in URL (like admin.php, test.php, etc) and mysql injections are common attacks for WordPress sites globally. If there are not reasons, don't feel this attack is personal.
You will be facing this issue every single day.
Good luck with that!
At least the big names do a good job.
Bing bot was using too much CPU for me and changing robots.txt helped a lot. The other ones (mostly unknown) got throttled using Wordfence.
To strengthen 7g firewall security is good too.