Unauthorized access to my site

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

I sorry to hear your site is being attacked. Have you looked in the database to make sure there are no users there you don’t recognize? The users may be hidden from the dashboard.

You may want to scan any PCs you use to access your server. Desktop viruses often harvest FTP and other credentials. Do you use open wifi in public places (hotels) to make server changes?

It has to be frustrating when it’s so difficult to protect your site.

Did you fix the problem?
My site Firecorp 1475 was so badly compromised, I have received E-mails from Google stating that my site has Malware if somebody visits it.

I have installed the following Plugins: –
1) Bulletproof Security installed in order to secure the htaccess file.
2) Sucuri to do malware scans
3) Wordfence to notify me about illegal log ins from which IP addresses.

When things went bad Wordfence gave me the compromised file names and I deleted those files.

I was informed that my website is now clear and safe to visit and suddenly the IP’s trying to get into my site have decreased from about 50 a day to about 1 a week. (Ip’s That I used to block with Wordfence)

Regards

Hey,

I’m a little confused and I need some guidance.

Which of these .htaccess files is better protection? OR are they equal?

Choice #1
<files wp-login.php>
order deny,allow
deny from all
# whitelist Your First IP address
allow from 00.000.000.000
</files>

Choice #2
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^00.000.000.000$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

Thanks!

Have you installed Bulletproof?
Bulletproof creates an htaccess file, which can not be changed by hackers.

Actually I use this to protect my .htaccess file

<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

Ok, but is it sufficient.

Below is what Bulletproof are doing.

Are you still being compromised?

[removed]

Woa… Bullet Proof is no joke!

Not sure about being compromised – it was happening on a 4 day cycle but I’ve moved to a new host and today is day 4… So I’ll see if anything occurs today.

BTW – I had Wordfence installed when I was compromised and it did nothing… whoever it was shutdown all plugins and altered all WP core files.

What a pain!

You may also want to implement some (if not all) of the recommended security measures.

I would like to find out about the following: –

Wordfence is alerting me of about 10 IP’s a day trying to get acces to my WP-Admin.

I block these addresses everyday. Do I keep on blocking, because I have noe 110 blocked IP’s.

What do I do with these, because the more you block, the more wants to get access.

It is also time consuming in blocking these addresses every day.

I recommend asking at https://www.ads-software.com/support/plugin/wordfence so the plugin’s developers and support community can help you with this.

You’re understandably very cautious, but believe it or not, the best thing to do about all the admin accesses is not worry about them. Let Wordfence do what it does. It’ll be fine.

It’s hard to not worry when your inbox is full of notices from Wordfence. Either have your mail client move them to a different folder so they are not so obvious, or adjust the notification threshold so you are only notified of the worst offenders (assuming there is such a setting, IDK)

I have another problem now.
Ican not log in to WP-Admin. This is caused by Bullet Proof Security.

The E-Mail I am receiving: –

A User Account Has Been Locked
To take further action go to the Login Security page. If no action is taken then the User will be able to try and login again after the Lockout Time has expired. If you do not want to receive further email alerts change or turn off Login Security Email Alerts.
If your User Account is locked and you are unable to login to your website: Use FTP or your web host control panel file manager and rename the /bulletproof-security plugin folder name to /_bulletproof-security. Log into your website. Rename the /_bulletproof-security plugin folder name back to /bulletproof-security. Go to the BPS Login Security page and unlock your User Account.
Username: admin
Status: Locked
Role: administrator
Email: [email protected]
Lockout Time: 14/02/2015 13:41
Lockout Time Expires: 14/02/2015 14:41
User IP Address: 78.6.29.46
User Hostname: 78-6-29-46-static.albacom.net
Request URI: /wp-login.php
Site: https://firecorpgrp.co.za

The IP in BOLD is not my IP. It is somebody intending to get into the website.

Unfortunately I get locked out and I have to follow the instructions in Italics Font to recover and it does unlock the account, but everytime I try to log in again it is the same story again. I am Locked Out again.

Is there no way around this? It takes a lot of time to follow these steps.

Something’s not right here, WF should no be locking out ALL admin log in attempts, only those from that IP. At least IMO, I’m not that familiar with WF though. You’d have to inquire in their support forum, though it could be a little while to get a reply.

You really shouldn’t have an “admin” username on your site for any reason. Do the workaround thing and either 1) add a new administrator user. Log in to the new administrator account and delete the admin user. You’re give the opportunity to move all admin posts to another user.

OR 2) get into your DB via phpMyAdmin or whatever your host provides for this functionality. Find the admin user (usually ID 1 in the first row) in the users table and change the user_login and user_nicename entries.

You can now log in under the new username even if the admin user is locked out from all IPs. Laugh at all the stupid bots that continue to try to login as admin though there is no such user ??

If I go into WP-Admin, WP does not allow me to change the username.

I will try as you suggested and see what is happening.

Actually I did try to go to Bullet Proof Security Support, but I was diverted to this Forum.