[Hidden-tech] WordPress security question

[Tim Boudreau]

>
> A client's site was compromised recently. I changed the password to
> something impossible to guess--but I'm wondering if:
> 1) There's a way to change the username in wp-admin
>

Not a PHP or wordpress person here, but make sure the site uses https and
any attempts at plain http will redirect to https.  Otherwise you're most
likely sending the password so it's readable to anybody on the network
between you and the server.  If it's not https-only all the time, fix that
before fiddling with new passwords or you're just giving away the new one.

The most important attribute a password can have to make it harder to crack
is to make it *long*.  Every character you add to a password *multiplies* the
number of combinations of characters an attacker has to try.


> 2) It's possible to block domains or country codes of attackers trying to
> sign in (most of them seem to be from France)
>

Not in any meaningful way.  You could do a geoip lookup and do something
based on that, but:
 - Geoip is not 100% reliable
 - If someone wants to hack you, it's trivial to tunnel traffic through
another country or something like Tor, and then the point of origin could
be anywhere.  So at best, all this does is add one easy-to-do step to the
process of hacking you.

-Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20160114/dac35b4e/attachment.html