Curious – does this protect, or just warn?

No pat answer for this. How you are protected has more to do with your own adjustments of Wordfence settings as well as your knowledge of how to deal with various “attack” issues, than whether you use the paid version or not. My advice would be to stick with free ver, learn it well, study the additional features of the premimum, then only after that make an informed decision based on your needs. In my case, I used to pay for premium and ended up downgrading to the free, the money (for three sites) gave me nothing that really helped, or couldn’t be duplicated or even improved with other plugins.

Thank you, @mountainguy2 for the answer. AND I VERY much appreciate the suggestion to stay with the free one. I tried to keep up with all this, but being a person who’d technical doesn’t mean I have the time to become expert in all things, security being one of them. My hosting company suggested I pay a security expert! LOL!!! As if I had THAT money!

Not sure that within my studies on the settings that I could have stopped this brute force thing. Came in through a very back door – and my password’s not an easy crack on that domain. Sadly, because it got into a subdomain, it was able to meander around to infect all the domains in the main directory that contained them. Not being an expert, I thought I’d set my firewall to block these, and other kinds of attacks… guess not.

I may keep this – and I’m also considering trying Securi, which also gets good ratings, seems to do a lot of the same, and doesn’t bother you on every screen, to upgrade.

Also learned – the hard way – having something like Backup Buddy is going to help me. My last backup was 5/11/18 – sheesh!

THANKS!

Indeed, backups should come first not last. I’m a pro blogger, I do fully 4 different types of backups to protect my body of work. Nobody is an expert, if they tell you they are, run. But some people know quite a bit and are worth paying. By definition “brute forcing” means you are getting multiple attacks from the same source, in Wordfence you’d usually use rate limiting to easily shut those down. Just to simplify things, I also use WP Hide Login plugin. Country blocking is very effective if you can do it. IQ Block Country being a good plugin for that. There is also a whole other attack surface that Wordfence does nothing with, that you have to deal with in your server configuration. Only experts do that (smile). MTN

Hi @aym4t

I wonder if you had a screenshot showing this wp-config warning that is related to Wordfence? or even the exact error message?

It could be that your site was hacked on the server level, perhaps SSH/SFTP/cPanel credential were leaked, within the limited information we can get through the forums here, it will be hard to tell how it was hacked, hiring a security analyst to investigate this issue and clean your site thoroughly might be your best choice.

Thanks.

Hi @aym4t,
Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. If you have any other questions or concerns, don’t hesitate to open a new one.

Thanks!

I was actually going to write in, but got too busy yesterday. Wordfence recorded an attack again, with what listed as 135 attempts on my wordpress database. I’m pasting the part of the email that shows what got hit. I promise you – that admin is WELL hidden as far as the name I gave it, but this came back – showing the regular wp-admin address (redacted here)
This email was sent from your website “AYM 4 Training – Online and Onsite Computer Training” by the Wordfence plugin at Monday 23rd of July 2018 at 01:56:16 AM
The Wordfence administrative URL for this site is: [REDACTED]
The Wordfence Web Application Firewall has blocked 135 attacks over the last 10 minutes. Below is a sample of these recent attacks:

July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL,NULL#
July 23, 2018 8:50am 5.188.86.156 (Ireland) Blocked for SQL Injection in query string: p=1477′ UNION ALL SELECT NULL#

Hi again!
It’s not unusual to see large numbers of attacks on sites. The reason Wordfence was developed in the first place was to protect against them. What you sent here is examples of SQL Injection probes, testing to see if this type of attack would be successful on your site. All of them were blocked, so this doesn’t tell us anything about how your site actually got hacked.

If your site was compromised, the attackers had access to everything on your site including everything in the database. It’s also possible that there is still malware left behind on your site.

If you have multiple sites hosted in the same hosting account they are as you already noticed, all compromised when one of them is compromised. To reduce the impact of a compromise it’s better to keep sites hosted separately. That way they can’t infect each other.

As for why your site was hacked in the first place, figuring that out would require a full forensic analysis of all sites in the hosting account. It is possible that you have a vulnerability so severe that nothing can protect against it. An example would be a wp-config file backup that was left exposed to the world, incorrect file permissions that allow anyone to write to files on your server, FTP or hosting control panel passwords that have been compromised etc. If you only recently started using Wordfence, it’s also possible that your site has been compromised for a long time and that you just didn’t notice before.

Wordfence would definitely have alerted you to malware on the site, assuming you have Wordfence installed on all of the sites you have hosted there and regular scans are running. Depending on how the site was hacked, it may not have alerted you the very second it happened but it would have when the first scheduled scan ran.

The free version offers very good protection but the premium version offers even better of course. Unfortunately we are per forum rules not permitted to discuss Wordfence premium here so if you have any questions about it – please email [email protected].

I agree with the previous suggestion that if you want the sites to stay clean you probably need to hire an expert to help you with that.

Well, Wordfence DID prevent these attacks, and my sites were rebuilt and inspected for any remaining malware by my hosting company.

Thank you for your responses on this. I’m finding these attacks happen, even with WP Hider installed.

Thanks again, for responding.