Someone is trying to hack my website

mattyg · 13 Apr 2019 at 09:18

Hi

Ok so yesterday I started getting emails saying "Alex" A request to reset your password has been made at " My Domain"

I have no Idea who alex is.

I've just tried to reset an admin password to check the email layout and its exact.

So it looks like Alex is trying to get access to my website.

Its a website I dont currently use for my business as its out of date and I don't need to advertise that business. I want to change it to just 1 page at some point, But I digress.

Whats the easiest way to stop Alex from taking down my website.

mattyg · 13 Apr 2019 at 09:29

Hmmm.

I've logged into my site and found a user ALEX. But they've been on the system for 7yrs 2 weeks. So I'm going to assume its possibly someone from the firm that built/updated the site originally.

I'll just delete the user

They appear to be from sweden

https://www.iptrackeronline.com/index.php?ip_address=91.132.138.62&k=

touch · 14 Apr 2019 at 21:16

That's normal for a wordpress site. It's quite easy to find usernames and then try to guess the password or see if you can get the password reset to work.

It'll all be automated and targeting thousands of sites in a list via proxies or other compromised sites (so that's not his real IP address) It's not only targeted at your site and they've most likely tried it, failed to get in and moved on to the next site.

mattyg · 14 Apr 2019 at 21:18

I had 5-6 attempts over 2-3 days. Thats what got me worried.

But I've had none since changing the username. So hopefully all good but I'll be monitoring it

touch · 16 Apr 2019 at 15:27

This is an extract of a 7-day summary for just 1 of our hosted sites:

It's not unusual to get hundreds of login attempts against your site. This is a very small site, too - I expect large sites get millions of attempts per day. It's nothing to worry about as long as you dont use default usernames like 'admin' and have secure passwords (and 2factor authentication where possible).

Feek · 6 Aug 2019 at 16:34

Login Lockdown seems decent, I've had it on my Wordpress sites for a while. I've never had any alerts for random login attempts but it can't hurt to increase the security. I have 2FA enabled as well.

Darr2cool78 · 8 Aug 2019 at 23:54

Make sure that any WordPress admins have a nickname set so that no one can query the actual admin username via the API or have it exposed through the blog posts.

If you have access to the server host and it is using Apache I recommend adding this to your .htaccess file...

<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

<Files wp-login.php>
Order deny,allow
deny from all
allow from 123.123.123.123
</Files>

The first part will stop them spamming authentication attempts through your WordPress api (only disable this if you don't use the API for any functionality in external apps)

Second part will lock down your login page. You can either change that IP so it is your IP specifically (this can become painful if you don't have a static IP which most non business internet services will not provide) or just leave it as this arbitrary IP that will never allow anything and simply comment that line when you need access.

If you don't want to, or can't go down this road, as mentioned by Feek use a Login Limiter which when combined with Google reCAPTCHA, good password and a good security plugin...should keep you safe.

If you need any help with it give me a shout, be happy to lend a hand