Securing WordPress Against Botnets Hacking Attempts Worldwide On WordPress Sites

I too received a couple of emails from 2 different hosting providers I use, one of which is lunarpages, informing me of a recent onslaught of hacking attempts focused on wordpress websites all over the world now, and how to secure wordpress better. Although this is no new thing as these hacking attempts happen year round, there just seemed to be a surge these days and they’re centered on wp sites.

securing wordpress

If you used wordpress, chances are, you have email in your inbox telling you of this ongoing attack.

Anyway, they all advised everyone to be vigilant and not to take security for granted. If you’ve been hacked before, you’ll know what I mean.

Yes, I once ignored this kind of advise before, resting on an innocent thought that no one would have any reason to hack my site. That only the big sites are being actively attacked. No way Jose. We aren’t dealing with little insecure would be hackers here. What’s making all these attacks are bots… software that automates all hacking actions and attempts. Thus they can work 24/7, no rest at all. And more importantly, they don’t differentiate between big wbsites or small insignificant one-page sites. They devour everything in their path like a hungry lion that’s been genetically engineered to behave both like a lion and a hyena.

Lunarpages did notspecify how they handled the attacks but Fatcow revealed that they choked traffic to the login pages. The attack was temporarily stumped. The downside to this however is that legitimate wordpress owners’ IP may have been blocked as well from accessing their dashboards at least during the first 3 days starting Thursday.

What we can do

While hosting providers levelled up their security fences, we as webmasters are left with the responsibility of setting up the first line of defense.

  • We are advised to change our passwords every 90 days. And not just any password. We should employ strong passwords that are not listed among the passwords being feed to hacking bots in their nefarious attempts.
  • password protect your login page. This effectively adds an extra layer of protection for your websites agains these hacking bots.

    This methods can be done manually or through a wizard (if its available in your cPanel).

    Manually, you can follow the steps outlined on this page.

  • Install wordpress security plugins.

Additionally, if you haven’t installed them yet, then install two very essesntially security plugins for your wordpress site as discussed in this post.

What I Did After My Blog Got Hacked

the hacker
Back in January 2010, my blog got hacked. You can read about it in a post called h-a-ck-e-d and hacking begginers. Had that hacking experience not happened, I would still be evading or postponing much needed anti-hacking security measures, the way I evaded anything that, though important, entails a lot of work. Hmmm, this reminds me of some other matters that I have put off for a long time, like CPA, listbuilding, and other undertakings which may prove to be profittable. This post itself is long overdue, as some blogger friends had long invited me to guest blog about my hacking experience and what I did about it. Procrastination. Yeah, i even procrastinated about the need to overcome my procrastination.

Post Hacking Damage Control

First off, “I told you so”. I had browsed through a lot of blog security articles before but never really took them seriously. I thought I was an exception to the rule and my blog wouldn’t be hacked. After all, who would be interested to hack a blog that doesn’t have that much following? So, after finding out about the hacking, I had to wallow in the proverbial “I should have…” moment.

After a speechless minute, I proceeded to contact my webhost. Following protocol, they have suspended access to the login page to prevent further damage. I contacted my host and I was given back access to my site.

The first thing I did was to search for that hideous page that replaced my original main page. It was an index.html file that usurped my index.php page. On refreshing, the original main page flashed back to life and I realized how beautiful it was. Then, I had to browse through each file and folder in my account to restore proper permissions. Following the rule of 755 for folders and 644 for files, this exercise took me a painful couple of days to restore just the file/folder permissions structure of the main domain site. I have yet to check the files and folders of the subdomains and add-on domains under it.

I thought that was it. For a few days, the blog continued on its merry way, only to be totally suspended again after the webhost received feedback that my blog has been tagged as a phising site. This time, the blog and all my other add-on sites, both earning and non-earning, took unwanted vacations for a little over a week. My webhost did their own scans and found a script which had been planted in an interior folder (in the default theme folder! How clever!). The script was the culprit for the phising activites. It has something to do with trying to fool email recipients into revealing their paypal data, using my domain as the source of the scamming stupidities. The webhost renamed the file to stop it from executing itself but left it up to me to delete it. Thus, I promptly deleted it and its zipped version. Imagine someone using a sledgehammer to smash a trapped mosquito. That’s how I felt back then.

Whew! Finally it’s over! In its 8 days of non-operation, I only lost the opportunity to earn a little less than a thousand dollars, ok, kidding, actually just a few measly dollars (as my websites are relatively new and not earning much yet). I can only imagine how much the more established webmasters would have lost in the same period.

Wait! A week later, I received an email from my host that I have exceeded the email sending limit. What? At first, I thought it was my test self-hosted autoresponder that’s probably gone bonkers, but after deactivating it, the sending limit warnings kept on coming. After another combing through, Lunarpages pointed out an experimental email sender file I had installed a long time ago. The hacker, it turns out, had exploited and continued using it to send emails pretending to be sent from a Canadian bank. So, without hesitation, to the trash bin it went.

Defense Installations

My primary suspect that breached my security was a keylogger that got through due to my earlier hacker-friendly online lifestyle. Thus, I made sure this time that my internet security application imposed stricter measures against probable illegal incursions. In fact, I have really become paranoid enough to the extent of always having my task manager in view so that I could monitor every cpu usage spike and see who’s causing it. I also intended to buy a full version of BitDefendfer Internet Security but put it on hold again after finding out that the bug that caused some firefox plugins to not work has still not been resolved by Bitdefender.

I also installed the free version of Zone Alarm. It does get to be annoying sometimes with its popups but it makes you feel secure and protected at the same time.

I was advised about using Login Lockup to protect my login page. As with all plugins, I tested it first on a localhost server test site. It didn’t work as expected, and instead messed up my test site making it inaccessible anymore. Needless to say, I did not proceed with the Login Lockup plugin installation on my blog. Too bad, it would have been one good ‘first line of defense’ for my blog.

While in the past, I used to wait for months before I update wordpress to its newest version I now procrastinate only for a week or two (because I research first for reports about the new version’s bugs and discrepancies) before updating.

Whereas I used to be click-happy when it comes to links in my emails, I am more cautious this time. I have stopped my practice of satisfying my curiousity for each email that comes my way (even from the spam folder). Instead I hit the delete button more often now.

Additional Defense

Just recently, upon the ‘heads up’ of Sire of wassupblog I found a working alternative to Login Lockup. The ‘Limit Login Attempts’ plugin worked when I tested it. Another plugin passed my testing too – the ‘WordPress Firewall’ plugin. Proof that both plugins are working are the multiple emails I receive everyday about attack attempts being made on my blog e.g. ‘directory traversal attacks’*, etc. Now, I shiver at the thought of all the still unprotected wordpress blogs out there without these 2 plugins.

how to fend off hacking attacks


To sum it up, I believe the following are the basic things one should do in the event of a hacking situation.

1 – Contact your webhost immediately and pray that they are as helpful as Lunarpages, or better.
2 – Ask your webhost for help in scanning your whole website to locate malicious scripts hidden within your directories.
3 – Once you regain access to your site, change passwords. Use stronger passwords this time.
4 – Check the dashboard and make sure that the (User) owner’s email is still your email address reflected in there.
5 – If you are still using ‘admin’ as your username in wordpress, change it to something else.
6 – Check your directory structure. Follow the permissions rule about folders and files.
7 – Check your domain’s email account (the one you configured to be your email; e.g. If it has lots of bounced emails, or sent emails that you didn’t send yourself, proceed to change your email password or completely delete that particular account and create a new one. Then check your directories for some possible mail sending script.
8 – Update your wordress version.
9 – Install ‘Limit Login Attempts‘ plugin.
10 – Install ‘WordPress Firewall‘ plugin.

I’m sure there must be some other things I should do to make my sites more hack-proof. So far, these are the things I’ve done. How about you? What measures have you taken to protect your sites? Or, are you going to wait, like me, until it happens to you? Remember, the attacks are not necessarily made by humans. Most are robot apps that were programmed to find and exploit weak points and doorways in anyone’s sites. Thus, it doesn’t choose; it just razes through all sites that are on its path.

*Directory Traversal: is exploiting weak or insufficient security validation or sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs. (source: wiki)

Latest WordPress Security Measures

Here’s a video I found just recently which prodded me to insert this update to this post.


Watch the above video to know the importance of creating appropriate user accounts for your wordpress site. Using your admin account for every activity you do in the dashboard is risky.

The expert speaker, Dre, will tell you what to do on your server side and on your wordpress admin side to secure your site even more, and a lot more strongly suggested things you can do e.g. using stronger passwords and utilization of password managers, disabling some features in your wordpress dashboard, really important security plugins you must have in your arsenal, etc.

Post-hacking Fun Un-related Video