Site Hacked Twice

https://www.ads-software.com/extend/plugins/login-lockdown/

(though personally it drives me nuts to be locked out, myself, when some moron tries to log in as me X numbers of times)

You should also read https://codex.www.ads-software.com/Hardening_WordPress

Do you have any proof or evidence to imply that this is a brute force attack, and not something else? Server logs etc?

Yes, after the second hack I changed the wp-login.php and it never happened again but someone had tried to change my password via the forget password, shame I reset my email address after the hack.

Like I said though I’m disgusted that WordPress hasn’t thought about putting some simple security behind the login screen

Anyone can go to any site and click the ‘forgot password’ link. That’s not a security hole, that’s just … the bane of the internet, really.

Were they trying to login as the same ID every time? Have you renamed your Admin ID to something else?

(How are you going to login with a renamed login file, out of curiosity?)

No but thats what they had to revert to once I renamed the wp-login.php file, they thought they still had one of their email addresses on the admin profile.

The HUGE security hole has already been mentioned but you’ve clearly ignored that and gone for what I mentioned they did next!

I log into my site by changing the wp-login.php file back, it’s a pain but its kept the hackers out.

I didn’t ignore it, I just don’t have an opinion on it as a security hole (been running WP for over 5 years now without anyone managing to brute force my password). I’m more inclined to think you’re using crappy passwords, to be honest, based on my experience.

Check the password you use against https://howsecureismypassword.net/

I’ve been using password ‘phrases’ for a while and my password is both over 16 chars long and has punctuation (though no numbers) and it STILL shows up as “About 1 trillion years” to brute force.

As Ipstenu mentions, there are plugin options available for doing login locking. If they ever did roll such a function into the core, it would have to be possible to disable it and I would NEVER want it applied to my admin account under any circumstances.

Lockout features create the ability to keep the legitimate user out as well. Nothing should ever prevent the Admin from logging into their WordPress site/multi-site when they need.

That said, please please PLEASE read the hardening WordPress doc that was referenced. WordPress fits a lot of different needs for a lot of different people, so sometimes things are quite left flexible, but I highly encourage picking the hardening measures that are appropriate to you and implementing them.

No Ipstenu you ignored it just like you ignored me saying I had a 15 character password like so mAI49(>5@zip;[6 (not the one I used)

Now please stop trying to be clever by dissing people who have genuine concerns about security and the fact WP hasn’t got any protection built in to stop brute force password attackw

John, I’m changing the login file while not in use. I shouldn’t have to do this but until WP introduce some protection I don’t really have a choice. My site was hacked twice in three days but changing the file name has stopped it happening a third time.

You’ll note when you sign into forums of any make they have protection of limiting wrong passwords for a reason!

Are they accessing your default login screen? Maybe you should hide the login screen via htaccess or with a plugin.

https://www.ads-software.com/support/topic/protect-you-wordpress-site-with-wsecure-authentication-1?replies=1

I’m currently using wsecure myself and is worth the $5 spent. I’ve previously used their Joomla version and have been happy with their service as well. I don’t have any affiliation with them, this is just from experience.

The Better WP Security plugin does something similar to WSecure, but does it via htaccess. Plus the Better WP Security plugin offers other brute force prevention methods among many other options.

https://www.ads-software.com/extend/plugins/better-wp-security/