Wordpress/Website Owners - Are attacks common?

[Gray Blimp]

I've built a wordpress site. It's only been up for 2 weeks and probably has no visitors. This is fine because I just wanted to try it and learn, make some mistakes, etc.

So the site has been up for 2 weeks, and I've had hundreds of brute force attacks and modifications to the 4 core integrity files (I did not make these changes, wouldn't even know how).

I didn't want to use WIX because you are tied to them, I chose wordpress because this gives you an element of control... But I have no idea what is going on. I'm a noob and not technical or savvy to the coding lingo/language. I don't know what .htmgci0y.appconfig.php or wp-itapi.php is.

Sucuri is the plugin letting me know about the attacks and file changes, they just want me to upgrade though, won't give me much info.

Is this stuff common? It seems I already have a real problem with the core 4 files modified by someone or something other than myself. I only have three plugins so far. BackWPup, Limit Login Attempts, and the free Sucuri Security. I have more plugins I'm going to add, but I'm on hold while I figure this problem out.

Any pros or experienced out there have any advice on how I should proceed, what I need to do differently next time, etc?

Thank you!

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[ravenspear]

Wordpress is one of the most popular platforms out there and many instances have security holes and/or are hosted on servers with old version of php and such things and so yes these kind of sites are often easy targets for hackers to penetrate.

 

[thehighlander]

You will get hack attacks and a lot of spammers. You're on the right track with the plugins.

 

[Runum]

I use iThemes Security, Akismet Anti-Spam, and Admin Block Country plugins for my WP sites. I also change the user name and use a random generator to create passwords. I get notification of logon lockouts all the time, secure so far.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[mtak.doc]

Word Fence is the name of the plugin that could help you.1mil+active installs

I use iThemes Security, Akismet Anti-Spam, and Admin Block Country plugins for my WP sites. I also change the user name and use a random generator to create passwords. I get notification of logon lockouts all the time, secure so far.

But i am proly going to keep this written down somewhere too

 

[V8Bill]

X2 for Wordfence. Haven't had a breach for years now. It'll tell you what you need to do to make your site more secure. As also mentionjed above you can check your site for current hacks at Sucuri Security. Also, your host needs to be on top of things as well. I'm a bit surprised you're getting hacked so easily. Pop wordfence on and see what it tells you. I've also moved my login page to another url which slows them down. Some plugins also have exploits so check those too. If you're not using a plugin you previously enabled - get rid of it. Don't just disable it - get rid of it. You shouldn't need to suffer that much so it does sound like you might have a few holes which you can plug.

 

[Gray Blimp]

Thank you all for your replies and advice.

X2 for Wordfence. Haven't had a breach for years now. It'll tell you what you need to do to make your site more secure. As also mentionjed above you can check your site for current hacks at Sucuri Security. Also, your host needs to be on top of things as well. I'm a bit surprised you're getting hacked so easily. Pop wordfence on and see what it tells you. I've also moved my login page to another url which slows them down. Some plugins also have exploits so check those too. If you're not using a plugin you previously enabled - get rid of it. Don't just disable it - get rid of it. You shouldn't need to suffer that much so it does sound like you might have a few holes which you can plug.

Bill, I did try Sucuri Security check, and they say nothing is wrong with the site. But they're the ones that keep telling me about changes at 2AM made to my site/core files. So I'm not sure what the changes are or what to believe. I'm going to try wordfence right now and see what they say. As for moving the login URL, I don't know how to do that, but I can look it up. You say some plugins have exploits, and to check those too. How does one check these? Go through the code? I definitely don't know how to do that...
The only deactivated plugin is the akismet standard one, which apparently I should be using.
Finally, as for pluging holes, does this simply consist of removing plugins? Is it better to have a minimalist website with no plugins, or have plugins and risk having these exploits?

As an aside, anyone use the "Jetpack" suite, does that work for them and seem like a good, secure, all-in-one solution?

Thanks all.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Runum]

Due to tech always changing, the best plugins for WP use change from time to time. I am always open to better plugins and solutions.

 

[V8Bill]

Thank you all for your replies and advice.

Bill, I did try Sucuri Security check, and they say nothing is wrong with the site. But they're the ones that keep telling me about changes at 2AM made to my site/core files. So I'm not sure what the changes are or what to believe.

I'm going to try wordfence right now and see what they say. As for moving the login URL, I don't know how to do that, but I can look it up. You say some plugins have exploits, and to check those too. How does one check these? Go through the code? I definitely don't know how to do that...

The only deactivated plugin is the akismet standard one, which apparently I should be using.
Finally, as for pluging holes, does this simply consist of removing plugins? Is it better to have a minimalist website with no plugins, or have plugins and risk having these exploits?

As an aside, anyone use the "Jetpack" suite, does that work for them and seem like a good, secure, all-in-one solution?

Thanks all.

Moving the login page can be done inside wordfence. Wordfence will also tell you what you need to change to make your site more secure. Re-activate Akismet - it stops comment spam. Set it to delete the worst offenders. Remove all plugins entirely that you don't use. I'm not sure if a de-activated plugin can still be hacked but I'm guessing it can so clean the plugins, update them all.

If you run into trouble hit me up via PM and I'll see if I can help. Also make sure you have the latest version of wordpress itself. These days there should be little need to worry about being hacked. But the best defence is offence - take full backups of your files and database. There are backup plugins that can do this for you and one that I use backs everything up to my S3 account either regularly or as needed.

 

[TreyAllDay]

So the site has been up for 2 weeks, and I've had hundreds of brute force attacks and modifications to the 4 core integrity files (I did not make these changes, wouldn't even know how).

This is not 100% professional advice. But I can tell you the following:

Brute force attacks are quite common.I have hundreds a day. Basically, a bot assumes your login panel is at domain.com/wp-admin which it is for 99% of wordpress sites. Once it gets there, it usually assumes your username is "admin" or "administrator" which for 99% of sites it is. And then it tries random passwords until it tries to guess whatever your password is. It is just bots, and they hit whatever sites they can, not someone specifically targeting you, and the likelyhood that they will guess your password is slim to none in my opinion. A note: it will also assume that the admin is the one posting blogs/articles. So if you have any public posts that are associated with an author like "POSTED BY GRAYBLIMP" it will know to try username:GRAYBLIMP pw:[RANDOM] over and over which is why it seems like someone is targeting specifically you, but they just grab your username from a post.

Some tips: Never use "admin" as your username. Change your password frequently. Always update wordpress and it's plugins (these updates are usually to fix security holes), and yes, get sucuri or bulletproof security plugin.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Gray Blimp]

Moving the login page can be done inside wordfence. Wordfence will also tell you what you need to change to make your site more secure. Re-activate Akismet - it stops comment spam. Set it to delete the worst offenders. Remove all plugins entirely that you don't use. I'm not sure if a de-activated plugin can still be hacked but I'm guessing it can so clean the plugins, update them all.

If you run into trouble hit me up via PM and I'll see if I can help. Also make sure you have the latest version of wordpress itself. These days there should be little need to worry about being hacked. But the best defence is offence - take full backups of your files and database. There are backup plugins that can do this for you and one that I use backs everything up to my S3 account either regularly or as needed.

V8Bill, thanks for offering to help me. I installed Wordfence and it seems like a great plugin. I'll play around with it more and see if I can move the login page.

This is not 100% professional advice. But I can tell you the following:

Brute force attacks are quite common.I have hundreds a day. Basically, a bot assumes your login panel is at domain.com/wp-admin which it is for 99% of wordpress sites. Once it gets there, it usually assumes your username is "admin" or "administrator" which for 99% of sites it is. And then it tries random passwords until it tries to guess whatever your password is. It is just bots, and they hit whatever sites they can, not someone specifically targeting you, and the likelyhood that they will guess your password is slim to none in my opinion. A note: it will also assume that the admin is the one posting blogs/articles. So if you have any public posts that are associated with an author like "POSTED BY GRAYBLIMP" it will know to try username:GRAYBLIMP pw:[RANDOM] over and over which is why it seems like someone is targeting specifically you, but they just grab your username from a post.

Some tips: Never use "admin" as your username. Change your password frequently. Always update wordpress and it's plugins (these updates are usually to fix security holes), and yes, get sucuri or bulletproof security plugin.

While my username is not admin, I didn't take this into account. Thanks for pointing that out.

Good to know that these types of attacks are commonplace and I'm not specifically being targeted. Being on the consumer side of things has coddled me, I thought the internet was a pretty safe place now, buts its still wild out there (which is refreshing, the excitement of not knowing). Gives me a great appreciation and respect for the 90s web/internet entrepreneurs who didn't have the tools and resources that I have, but were still able to succeed.

Thanks all for the help.