Hacking Attacks to WordPress Sites will Never Stop

Updated on:

Nobody can stop hackers from doing what they do. Hackers attack and hack. Your site will never be free from their attacks.

Installing this and that and writing firewall rules can mitigate the attempts but your sites will still get them.

These are my thoughts about some actions that some site owners implement to protect their sites and how useful they are.

Blocking IP’s?

You can block all the IP’s that you want but if you know one thing or two about the Internet, you already know how easy is to get a new IP.

You can get a new IP for free and you can also pay for some premium solutions out there

I never block IP’s manually. It is dumb.

You are going to spend a lot of time finding and blocking IP’s and that’s gonna take a toll on your mental health.

If you have a plugin blocking IP’s for you, use it as long as it does the job without your intervention.

Blocking Countries?

Do I block countries?

I don’t block any countries because hackers can attack sites from anywhere in the world.

You can get a server for five bucks or less and attack from the United States if you really want to bypass a country-based firewall.

These were part of today’s attack that came from The United States.

Attacks from the US

Sometimes I challenge bots and human from specific countries but it is a Javascript-based challenge

CloudFlare JavaScript challenges last around 5 seconds but nobody likes them because we don’t like to wait for things when we are on the internet.

Blocking ASN’s?

I don’t like blocking ASN’s because some legitimate companies use them.

If you block Amazon or Digital Ocean servers, you have to build a whitelist and that takes time and work.

For example:

Let’s assume that you are blocking OVH, a hosting provider sometimes used to attack and find vulnerabilities.

If you use Ahrefs Webmaster tools, you have to whitelist the Ahrefs user agent because Ahrefs uses OVH to perform site audits.

If you block hosting providers, even the worst ones, you have to analyze the log and check if you are blocking a service you really need.

Blocking Referrers?

Blocking referrers also can be a waste of time. You can block all the referrers you want but hackers will do referrer spoofing

Referrer Spoofing “sends incorrect referrer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user

And what are you gonna do when the bots that brute force attack your site say they are legitimate Google or Facebook users?

Blocking User Agents?

Yes, There is user agent spoofing.

I think you get the point, you can be anybody on the Internet.

You can attack a site and identify yourself as Google, Bing and other user agents that you will never block.

I still block user agents but I often see bots pretending to be legitimate visitors.

Blocking HTTP versions?

I rarely block anything from accesing my sites. I prefer to challenge them.

Writing a Javascript challenge for some HTTP versions is a rule I have been playing with lately.

I have reduced a lot of bot traffic coming to my sites by blocking some old HTTP versions but I have to whitelist some legitimate user agents.

Blocking old HTTP versions might prevent some legitimate external services from working or interacting with your site so you gotta be careful with it.

By the way some attackers use modern HTTP versions in their attacks so recent HTTP version doesn’t equal human.

Blocking Brute Force Attacks?

I think you can stop all brute force attacks once and for all using security plugins such All in One WP Security and Firewall or services like CloudFlare

Can a plugin fail to deliver? Can the CloudFlare Firewall be bypassed?

Yes but hackers might not need your site as much as you think, they usually move to easy targets when they find some resistance.

Having said that, use a super strong password, something that you won’t be able to remember even if you life depends on it.

Something like this:

[email protected]%RZlTS

Remember brute force attacks are not magic tricks.

Brute Force attacks work because site administrators use easy to figure out passwords or recycle their passwords in all the online services they use.

Once their Tinder accounts gets hacked, you know they are in trouble.

If you can block your login pages from the world like I do, Add challenges to your login form or limit failed login attempts to 5.

If a hacker figures out your password after five attempts is because you are dumb.

Creating a Custom Firewall?

I like the idea of blocking whatever you want as long as I can see a pattern in it.

I block access to all my sites php files because visitors don’t need them.

I also block other patterns found on my 404 errors list. Patterns is the name of the game.

The problem with custom firewalls is that they take time to build and can’t be applied to all wordpress sites.

Custom Firewall help a lot but you still get some attacks here and there. They won’t stop the most common attacks but not all of them.

Installing Security Plugins?

I don’t use security plugins, I don’t like them that much and I don’t want to pay $80 for them either.

I prefer CloudFlare over any of the security solutions out there.

I would use those $70 to $90 bucks a year to upgrade my server.

Keep this in mind, using a security plugin won’t prevent your site from getting hacked if you are dumb.

Don’t installed nulled plugins, use a decent hosting providers, use the most recent version of whatever you are using.

JM

Sobre Jose Manuel

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find this blog useful.