Hacking Attacks to WordPress Sites will Never Stop

Manuel Campos

Nobody can stop hackers from doing what they do. Hackers attack and hack thousands of WordPress websites every day.

Your site will never be free from their attacks.

Installing this and that and writing firewall rules can mitigate the attempts but your sites will still get some of the attacks

You gotta live with it.

These are my thoughts about some actions that some site owners implement to protect their sites and how useful they are to prevent hacking attempts

Blocking IP’s?

Hackers are constantly trying to hack WordPress sites

You can block all the IP’s that you want but if you know one thing or two about the Internet, you already know how easy is to get a new IP.

You can get a new IP for free and you can also pay for some premium solutions out there

I never block IP’s manually. It is dumb.

You are going to spend a lot of time finding and blocking IP’s and that’s gonna take a toll on your mental health.

If you have a plugin blocking IP’s for you, use it as long as it does the job without your intervention.

Blocking Countries?

Do I block countries?

I don’t block any countries because hackers can attack sites from anywhere in the world.

You can get a server for five bucks or less and attack from the United States if you really want to bypass a country-based firewall.

These were part of today’s attack that came from The United States.

Attacks from the US

What are you gonna do now?, Block USA?

Sometimes I challenge bots and humans from specific countries and the challenges last between 2 to 4 seconds but nobody likes them because we don’t like to wait for things when we are on the internet.

Blocking ASN’s?

I don’t like blocking ASN’s because some legitimate companies such as ad networks use them.

If you block Amazon or Digital Ocean servers, you have to build a whitelist and that takes time and work.

For example:

Let’s assume that you are blocking OVH, a hosting provider sometimes used to attack and find vulnerabilities.

If you use Ahrefs Webmaster tools, you have to whitelist the Ahrefs user agent because Ahrefs uses OVH to perform site audits.

If you block hosting providers, even the worst ones, you have to analyze the log and check if you are blocking a service you really need.

Blocking Referrers?

Blocking referrers also can be a waste of time. You can block all the referrers you want but hackers will do referrer spoofing

Referrer Spoofing “sends incorrect referrer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user

And what are you gonna do when the bots that brute force attack your site say they are legitimate Google or Facebook users?

Will you block Google?

Blocking User Agents?

Yes, There is user agent spoofing.

I think you get the point, you can be anybody on the Internet if you have the technical skills to do.

You can attack a site and identify yourself as Google, Bing and other user agents that you would never block because they are a good source of traffic.

I still block user agents, the usual suspects only.

Blocking HTTP versions?

I rarely block anything from accessing my sites. I prefer to challenge them.

Writing a challenge for some HTTP versions is a rule I have been playing with lately.

I have reduced a lot of bot traffic coming to my sites by blocking some old HTTP versions but I have to whitelist some legitimate user agents.

Blocking old HTTP versions might prevent some legitimate external services from working or interacting with your site so you gotta be careful with it.

By the way some attackers use modern HTTP versions in their attacks so recent HTTP version doesn’t always equal human.

Blocking Brute Force Attacks?

I think you can stop all brute force attacks once and for all using security plugins such All in One WP Security and Firewall or services like CloudFlare

Can a plugin fail to deliver? Can the CloudFlare Firewall be bypassed?

Yes, but hackers might not need your site as much as you think, they usually move to easy targets when they find some resistance.

Having said that, use a super strong password, something that you won’t be able to remember even if you life depended on it.

Something like this:


Remember brute force attacks are not magic tricks.

Brute Force attacks work because site administrators use easy-to-figure-out passwords or recycle their passwords in all the online services they use.

Once their Tinder accounts gets hacked, you know they are in trouble.

If you can block your login pages from the world like I do, Add challenges to your login form or limit failed login attempts to 5, your site will be fine.

If a hacker figures out your password after five attempts is because you are dumb.

Creating a Custom Firewall?

I like the idea of blocking whatever you want as long as I can see a pattern in it.

I block access to all my sites php files because my site visitors don’t need them.

I also block other patterns found on my 404 errors list. Patterns is the name of the game.

The problem with custom firewalls is that they take time to build and can’t be applied to all wordpress sites.

Custom Firewall help a lot but you still get some attacks here and there. They won’t stop the most common attacks but not all of them.

Installing Security Plugins?

I don’t use security plugins, I don’t like them that much and I don’t want to pay $80 a year for them either.

I prefer CloudFlare over any of the security solutions out there.

I would rather use those $70 to $90 bucks a year to upgrade my server.

Keep this in mind, using a security plugin won’t prevent your site from getting hacked if you are dumb.

Don’t install nulled plugins, use a decent hosting provider, use the most recent version of whatever you are using.

Manuel Campos, English Professor

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.






© 2024 WP SURFER • Made with Love in Costa Rica