A few points of reference: 1) Attackers generally don't have a domain, because they are coming from an IP used to login via comcast or some related network, so you'd be blocking 1000's of possible visitors. 2) Attackers might come from suspect countries like .ru, .ro, or .cn but that is a very poor way to identify them and rarely accurate. 3) Changing a password is good - there are plenty good generators online, expect 8-15 characters with a mix of upper, lower, numbers and special characters BUT unless your prior password was really bad (like 12345) it was probably not the point of attack. 4) Using https is wonderful as a general rule but again, not likely how someone got it in -- since not likely the attacker was on your local network 5) repeated, high rate IP activity is a good place to look for issues and a easy place to block, at the server level is best and many have denyhosts running routinely. There are a number of good plugins in the WP plugin directory. 6) The best diagnostic you should do asap after the compromise is a) look for recently changed files, often in a tmp or cache directory; from an ssh command you can use: find . -ctime -2 -ls (shows files changed within the last 2 days) b) compare against a fresh WP install c) check the logs for repeated access from the same IP and look at what program files were accessed. specifically look for IPs hitting lots of 404s because those are probes looking for weaknesses. In reality, the most likely point of attach is because: - the version of wordpress is old - there is an open exploit in one of the wordpress functions -- the wysiwyg editors like fck are the worse, as they often have image upload functions that are very easy to crack. - the worst security hole in many CMS based systems today (WP, Joomla, drupal) is the 'update version' directly from the web admin dashboard, because that means your whole directory file tree of programming is open to writing from the web server, which is how most attackers get in to cause trouble. SO the best you can do is make sure as much of the directory tree is read-only to the web server, and even root-writable only. 2nd best is to use ftp for updating with a different user from the web server. For many WP system admins, it is necessary to upload images from the web dashboard, so make sure *only *that directory tree is web server writeable - (for WP) maybe even WPHOME/wp-content/uploads root-writable only and create the new year 2016 directory by hand - so only that sub-tree is writable - and make sure none of those files can be execute by php as programs, which means something like this in an .htaccess file for those directories: RemoveHandler .php RemoveType .php php_flag engine off Frankly, Shel without more info, we are guessing -- just remember in today's internet EVERY web site is constantly being attacked. Rich/webmaster On 1/14/2016 1:57 PM, Erik Amlee wrote: > > You cannot change username or register a second account with the same email address. > Best is to delete the old account and re-create it with the same permissions. > And there are WordPress plugins that claim to block IP addresses by country, but you > would also deny legit traffic. If you are seeing brute force attacks on wp-login, a > better solution would be a plugin that locks/bans by IP after X login attempts. > Erik Amlee > > Director of Programming > _______________________________ > Yes Exactly, Inc. | yesexactly.com <http://yesexactly.com> | 413.325.8251 > ---------- Forwarded message ---------- > From: *Shel Horowitz* <shel at principledprofit.com <mailto:shel at principledprofit.com>> > Date: Thu, Jan 14, 2016 at 11:19 AM > Subject: [Hidden-tech] WordPress security question > To: Hidden-Tech Tech <hidden-discuss at lists.hidden-tech.net > <mailto:hidden-discuss at lists.hidden-tech.net>> > > > A client's site was compromised recently. I changed the password to something impossible > to guess--but I'm wondering if: > 1) There's a way to change the username in wp-admin > 2) It's possible to block domains or country codes of attackers trying to sign in (most > of them seem to be from France) > Thanks, > -- Rich Roth Webmaster/Steering Committee Member Hidden-tech http://www.hidden-tech.net The Talent you need is right here, Join and share your skills ((Sponsored by Thrives Media)) http://www.thrivesmedia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20160114/79e13c15/attachment.html