Wordpress Security Plugins

12 replies [Last post]
Generic's picture
Offline
Joined:
02/24/2011

Just looked at how many the security guy installed for me....

Anti-Malware Security and Brute-Force Firewall

BruteProtect

BulletProof Security

and 

Wordfence Security

Really? DO I actually need 4 of them to protect my wordpress website? I trying to figure out what's spiking my CPU usage.

__________________

Permission to quote in whole or in part, other than usage on this forum, is entirely forbidden.

 

Morticia's picture
Offline
Joined:
05/22/2008

One more - word fence tells me that one of my files is altered from the last time it did a scan. I checked the files side by side (nice feature). It's the file that sets up the email. It is completely different. New owner name, new code, but I can't tell if it's just an update to the plug in or what.

Can someone explain how my own email keeps ending up as blocked spam in my email program? (Probably not related to the issue of the file I mentioned above.)

__________________

Most people die of a sort of creeping common sense, and discover when it is too late that the only things one never regrets are one's mistakes. - Oscar Wilde

 

PhineasSwann's picture
Offline
Joined:
09/25/2012

I'd go back to your backup file and replace it with the old file. Then change your passwords. 

I had someone hack my site 2 years ago and was sending spam through it, which almost got my domain blacklisted. Better safe than sorry. 

__________________

Darren
Innkeeper & Owner

 

Morticia's picture
Offline
Joined:
05/22/2008

Let me ask this one - if I set word fence to lock out attempts using invalid user names does that encourage hackers to try different names rather than just different passwords? 

I mean if they just keep trying the same 2 user names that keeps them amused without them ever getting to the right username. But, if I tell them they got the wrong name by immediately locking them out didn't that encourage trying other names?

BTW, the two usernames are 'test' and the actual domain name. Don't use those!

Morticia's picture
Offline
Joined:
05/22/2008

Morticia wrote:

Let me ask this one - if I set word fence to lock out attempts using invalid user names does that encourage hackers to try different names rather than just different passwords? 

I mean if they just keep trying the same 2 user names that keeps them amused without them ever getting to the right username. But, if I tell them they got the wrong name by immediately locking them out didn't that encourage trying other names?

BTW, the two usernames are 'test' and the actual domain name. Don't use those!

Since last night I have received 20 emails from wordfence letting me know there were 20 attempts to logon using non existent account names. I guess I will turn the email notification feature off!

Offline
Joined:
05/22/2008

And there are hundreds more that the Hosting company blocks. I got sick of getting them so I just turned it off. I don't want all these emails.

Morticia's picture
Offline
Joined:
05/22/2008

So if you check your Wordfence stats and you see the same IP address keeps trying to login, do you block that ip or just let wordfence do its job?

dumitru's picture
Offline
Joined:
10/07/2013

Most of these IPs are dynamic or coming through a proxy. Manually taking actions against them is time-consuming and wouldn't help much. Set some strict rules and let WordFence do its job. 

__________________

http://www.hermesthemes.com - WordPress Themes for Independent Hotels, Inns and B&Bs

 

dumitru's picture
Offline
Joined:
10/07/2013

True.

WordFence can be configured to handle most of the stuff. From my experience the most important thing is to block the log-in attempts. The default configuration doesn't put restrictions in place for that (like a user lock-out for 24 hours).

Arks's picture
Offline
Joined:
05/22/2010

dumitru wrote:

The default configuration doesn't put restrictions in place for that (like a user lock-out for 24 hours).

I found mine was set to lock people out after 20 login failures. I changed it to 7. Don't want to lock myself out if I make my famous mistake of leaving caps lock on!

Mine was set to lock people out after 20 forgot password attempts. I changed it to 7.

Mine was set to lock people out for 5 minutes when they do get locked out. I changed it to 1 day.

__________________

All saints can do miracles, but few of them can keep hotel. ~ Mark Twain

 

dumitru's picture
Offline
Joined:
10/07/2013

I set everything to 1 attempt and simply whitelisted my own IPs: the one from the office and the one from home.

As I don't have an account with the username "admin", I have configured it to automatically lock-in anyone trying a non-existing username.

Combined with a .htaccess password protection for the /wp-admin/ folder, I basically forgot about most problems with spam and brute-force.

Morticia's picture
Offline
Joined:
05/22/2008

I like blocking the use of an unknown user name.

Offline
Joined:
05/22/2008

NO you don't need all of them. Wordfence is all I ever use. They will probably work against each other. 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.