Wordpress login security?
 

I have been getting alot of attempts at wp-login.php for blackonwhitelesbian.com. I have just been denying the ips in htaccess.

Is their a captcha plugin or something similar that you suggest?

Apologize for the noob question, but what are they trying to do? Just add backlinks or takeover the site?

I remember seeing someone posting about a plug-in that would disable IPs after a certain amount of attempts.

Personally I just use really strong user names and passwords. It's not just my WP installs that have constant attempts it's all my scripts login pages. It's even my home network which lately seems to be under attack from Korea.

Yea, I got somebody from Berlin and I got a bot that hits from 5 different IPs every so often.

Probably gonna make my passwords a little longer.

I hope the North Koreans aren't targeting Cleo's Links.

I've just started using Better WP Security and I like it a lot, bans users temporarily for a myriad of different techniques people use to compromise your site.

I've also got Bullet Proof installed on a couple of sites, also good.

The nice thing about Better WP is you can choose your level of security, some tweaks require a more significant server load than others, but I've been quite happy with it since I've installed it.

Thanks Housekeeper. I am gonna look into it.

I was just getting tired of seeing those attempted logins. I just renamed my wp-login for a while. Next time I want to login I will rename it back to wp-login. They are still hitting wp-login, even though it isn't there.

Maybee "just add backlinks" AND "takeover the site" ? :) anyway what I'd do for sure is having a freaking long password (my favourite are long sentences with mixed in characters)... anything above 30 characters makes me feel all right and safe :D

there was a release of funny md5 hash decoder which simply check out if that hash is already on the net. So you know... rememberingAboutPassKeepsMy$$$Safe666, :D

Yeah, I've been having that same issue. Might have to give that plugin Housekeeper recommended a shot.

(Ooops! I see that you're doing what I suggested below. Sorry.)

Here is what I suggest. Add the following text to your .htaccess file:


Order deny,allow
Deny from all

Allow from x.x.x.x


You will need to replace x.x.x.x with your current IP address.

Not sure what your current IP is? Go to Google.com and type "what is my ip?" No one will be able to login to your WP account except from your IP.

I tried something like that before. But I didn't get it to work. Must have been a typo or something. But I may try it again. Thanks.

I'm seeing largely 'too many attempts to open a file that does not exist' which is getting blocked by WP security, and some 'bad login attempts'. But the brute force isn't as sophisticated or intense as what is run on paysites, so far.