Attempted Hack: How to fortify site?

  • Yesterday someone succeeded in creating 3 new accounts on a very small site I administer for a Community Garden. I have set up self-registration to be severely limited yet still they were able to bypass those restrictions. I have two questions about this:

    First of all, can anyone give me insight into what the goal is? Are the bots attempting to hijack the registration form for e-mail spamming?

    How can I make this process bulletproof? It’s a very small site and self-registration links have been removed. I can handle any registration needs manually. There is one link to self-registration that persists, on the log-in form. Though I’ve changed the default name of the self-registration form, mouse-over on the “REGISTER” button on the login form reveals the new name. Any ideas on how I can remove that button or anything else I can do to make the site less prone to such incursions?

    I’ve already set the whole site to ‘nofollow’. There’s no need for us to be found and indexed, though I expect it’s already too late for that. I’ve also taken the site offline for a few days to let the bots cool off.

    • This topic was modified 3 years, 1 month ago by Brian Grover.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator t-p

    (@t-p)

    We have some general recommendations at https://www.ads-software.com/support/article/hardening-wordpress/

    • This reply was modified 3 years, 1 month ago by t-p.

    First of all, can anyone give me insight into what the goal is? Are the bots attempting to hijack the registration form for e-mail spamming?

    This is very common practice. The goal is to allow things like unrestricted comments that will include spammy links, or to then seek to exploit the site using the default subscriber level of access that comes with being registered.

    I would add a captcha to the registration form to make it more difficult for bots to auto-register: https://www.ads-software.com/plugins/search/captcha/

    It also does no harm to harm a firewall plugin, some of which will also help you to protect the registration form from misuse, and all of which will protect the actual login form: https://www.ads-software.com/plugins/search/firewall/

    Other than that, the link that t-p recommended has great advice about generally hardening your WordPress site. You can then monitor the registered subscribers through the WordPress dashboard and see how success your measures are, although keep in mind that nothing can protect you against manual registrations. If they seem fishy, maybe email them directly to see if their interest in the site is genuine.

    Good luck!

    Thread Starter Brian Grover

    (@daboo2u2)

    Thanks guys I’ll keep plugging away at your recommendations.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Attempted Hack: How to fortify site?’ is closed to new replies.

Tags