Brute force is on the rise.

[draggar]

Up until a month or so ago my WP sites only had a few hack attempts a day mainly thanks to login-lockdown. Now, it's clear that someone or multiple people are using rotating IP addresses making login-lockdown obsolete - these sites are now getting hundreds of hack attempts a day (thank god my passwords are secure!).

Even setting it to 3 failed attempts in 24 hours resulting in a 1 week lockout I'm still getting dozens to hundreds per day on most of my sites.

 

[amplify]

Just have your passwords set like (or the longest possible)

DG*&CGDS*XB&*GCX^GCSUYBCD*IHNOCI-x()U(*SXbYBUAguyBSVCXV*&HX98x8HS(*Hb

Then, even with 1000s of brute force attempts running on supercomputers with 1000s of IP's, there's no way they can gain access. Even if they did, I'm sure you export your WP every now and then as well as make a full site backup aautomatically (daily, weekly, monthly).

My problem is somehow they keep figuring out the security holes in WP and inject approved comments that I have to go through and manually delete.

Also, you may want to play around with PHP shell_exec to see if your other websites could be affected by gaining access to one and editing a WP plugin to do horrible things.

 

[draggar]

I keep an eye on my sites (and so does my host) - I also update WP and plugins often, I try to log into each one at least once every two weeks.

As for the password, I have something easier to remember and still extremely hard to get - even impossible considering the PWs that the brute force attacks use.

 

[amplify]

It's good to remember a password, but if it's memorable by you it most likely has some kind of significance. Such as a name, year, place, etc. What I do to manage my websites is have an Excel file on a thumb drive that I use on my "white" box (business only computer) that stores all passwords and they are all different. It is even encrypted and password protected. I then remove it when inactive on the computer.

I have it setup A is the site, B is the type of password (Email, FTP/cPanel, Wordpress, any other notes), C is the username and D is the password on one sheet.

On another sheet I have A as the account (GoDaddy), B as the way to access it, (http://www.godaddy.com), C the username, D the password and E the license (for example vBulletin, Wordpress theme sites and programs).

 

[draggar]

You can still make a password that is significant to you and still have it secure. Say you enjoy soccer,

S0cc3r
50cc.3r
5Oc_c3R

and so on - secure but still not hard to remember.

Also, considering what people use as passwords in my office I know my logins are more secure than the average password.

 

[amplify]

P4ssword is always a good password. One uppercase, one number and one lowercase, pretty secure.

 

[draggar]

I've seen that password used in the logs so it's in brute force lists.

A good way to kill them, throw in something like my title.

 

[chipmeade]

Just have your passwords set like (or the longest possible) DG*&CGDS*XB&*GCX^GCSUYBCD*IHNOCI-x()U(*SXbYBUAguyBSVCXV*&HX98x8HS(*Hb

How did you get my password? That was my first license plate number. I use to access my "Hello Kitty" fan site. Damn it. Now I have to change it and print out a new laminated card for my wallet.

 

[draggar]

I've decided to step up LoginLockdown.

I used to have it set to 3 failed attempts in 24 hours (from the same IP address) would result in a 10 day lockout. Now, 3 failed attempts (from the same IP address) in 10 days will result in a 100 day lockout.

 

[mkellerman]

Can't you just only allow login from IP addresses you specify?

 

[djriel]

Up until a month or so ago my WP sites only had a few hack attempts a day mainly thanks to login-lockdown. Now, it's clear that someone or multiple people are using rotating IP addresses making login-lockdown obsolete - these sites are now getting hundreds of hack attempts a day (thank god my passwords are secure!).

Even setting it to 3 failed attempts in 24 hours resulting in a 1 week lockout I'm still getting dozens to hundreds per day on most of my sites.

ouch ....
I didn't know it was that bad .

I guess I'm glad I don't use WP