[Hidden-tech] WordPress security question

Jeff Brand jeff at deltafactory.com
Thu Jan 14 14:27:48 EST 2016


1. While it's not possible to change the username through wp-admin, it 
can be done at the database level. Depending on the exact environment it 
can get touchy since it will alter author page URLs and more. There's 
got to be a full write-up somewhere online. If the login is "admin" then 
it's highly recommended.

2. Blocking by country is possible though the list of IP ranges are 
large and will impact processing time. As others have mentioned, you'll 
also turn away valid traffic. Wordfence is a large and thorough security 
plugin that will block after a certain number of failed login attempts. 
"Limit Login Attempts" 
<https://wordpress.org/plugins/limit-login-attempts/> is a very 
light-weight plugin that does a similar job.

Since this past fall, hackers have been using XML-RPC calls to bulk-test 
passwords. I don't know if Wordfence provides protection against that 
attack. The simplest fix is to disable XML-RPC but this impacts the 
mobile publishing app, certain features of Jetpack, and any other plugin 
that uses XML-RPC. If that's not a concern, there are plugins to disable 
it through what's practically a 1-line fix.

Ideally, I'd like to see the maintainers provide ways to disable the 
bulk-request method in limited instances while protecting legitimate uses.


On 1/14/2016 11:19 AM, Shel Horowitz wrote:
>
>
>
>
> A client's site was compromised recently. I changed the password to 
> something impossible to guess--but I'm wondering if:
> 1) There's a way to change the username in wp-admin
> 2) It's possible to block domains or country codes of attackers trying 
> to sign in (most of them seem to be from France)
>
> Thanks,
>
> ________________________________________________
> Watch (and please share) my TEDx Talk,
> "Impossible is a Dare: Business for a Better World"
> _http://www.ted.com/tedx/events/11809_
>
> Contact me to bake in profitability while addressing hunger,
> poverty, war, and catastrophic climate change
>
> Twitter: @shelhorowitz
>
> * First business ever to be Green America Gold Certified
> * Inducted into the National Environmental Hall of Fame
>
> http://goingbeyondsustainability.com 
> <http://goingbeyondsustainability.com/> for the corporate world
> http://impactwithprofit.com <http://impactwithprofit.com/> for 
> entrepreneurs
> http://greenandprofitable.com <http://greenandprofitable.com/> for 
> green businesses
> mailto:shel at greenandprofitable.com 
> <mailto:shel at greenandprofitable.com> * 413-586-2388 <tel:413-586-2388>
> Award-winning, best-selling (8th) book:
> Guerrilla Marketing Goes Green (co-authored with Jay Conrad Levinson)
> Coming in April: Guerrilla Marketing to Heal the World
> _________________________________________________
>
>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20160114/6b91ae32/attachment.html 


Google

More information about the Hidden-discuss mailing list