> > A client's site was compromised recently. I changed the password to > something impossible to guess--but I'm wondering if: > 1) There's a way to change the username in wp-admin > Not a PHP or wordpress person here, but make sure the site uses https and any attempts at plain http will redirect to https. Otherwise you're most likely sending the password so it's readable to anybody on the network between you and the server. If it's not https-only all the time, fix that before fiddling with new passwords or you're just giving away the new one. The most important attribute a password can have to make it harder to crack is to make it *long*. Every character you add to a password *multiplies* the number of combinations of characters an attacker has to try. > 2) It's possible to block domains or country codes of attackers trying to > sign in (most of them seem to be from France) > Not in any meaningful way. You could do a geoip lookup and do something based on that, but: - Geoip is not 100% reliable - If someone wants to hack you, it's trivial to tunnel traffic through another country or something like Tor, and then the point of origin could be anywhere. So at best, all this does is add one easy-to-do step to the process of hacking you. -Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20160114/dac35b4e/attachment.html