Here’s a security alert (below) that I received last night when some hacker tried to log into one of our client’s sites. In this case, the hacker was trying to get in, by accessing the site’s password retrieval function. Fortunately, the hacker was thwarted by the security plugin I set up for this client.
—–Original Message start of alert—–
Sent: January 21, 2018 9:53 PM
Subject: [Wordfence Alert] User locked out from signing in
This email was sent from your website “Site title” by the Wordfence plugin at Sunday 21st of January 2018 at 09:53:27 PM
A user with IP address 18.104.22.168 has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 2. The last username they tried to sign in with was: [removed]
User IP: 22.214.171.124
User hostname: 126.96.36.199
User location: Kristiansand, Norway
———end of alert————–
Ya – this time it’s Norway. Other times it’s India, Italy, Russia and dozens of other places hackers like to hide.
A little while back (I think it was November), we were made aware of what was believed to be sophisticated hacker or group of hackers, that began targeting 10’s of thousands of sites on the internet with a relentless “hack”. Some of our client’s sites were in their crosshairs as well, and as a result of this persistent hacking attempt, I received a lot of security alerts from a security plugin installed on our clients sites outlining “failed login attempts” in a very short period of time. It was clear this was a “brute force attack” in progress on many unsuspecting sites on the internet. We took action by making sure our client’s site’s backend elements were updated, and took manual action as well, to reduce and deter access to our client’s sites.
Anyhow, getting back to the reason for this post, if you look at the recent hacking notice above, you will see the latest alert came in overnight from a hacker in Norway (or at least that’s where that particular IP’s address’s location was determined to be), trying to access a site at 11pm, our time. The alert goes on to point out that the hacker was trying to gain access to the site by “hitting” the password retrieval function. However, since the security function is set to log and block IPs that have failed twice using the password retrieval function, that particular hacker’s IP address was summarily blocked from any further attempts to use that function or even the login function.
Another hack attempt came in just this morning on the same site, from a hacker with an IP address location of Costa Mesa in the US. This hacker tried to log into the site twice using random credentials – without success. Their IP address was summarily blocked out from trying to use the “login” function any time soon. The block of that hacker was successful, partially due to strong passwords in use on the client’s site, and of course, the security plugin that blocked the hacker’s IP after the failed login second attempt.
Security should not be something that’s just acknowledged, and then forgotten. Security measures, in the form of keeping one’s site updated and secure, should be an ongoing concern and a regular part of any site’s maintenance.
Think “Panama Papers” – https://en.wikipedia.org/wiki/Panama_Papers. Remember the security breach “hack” on that site? One theory on how the hackers got in, was thought to be through an out-of-date plugin, that was ultimately exploited to gain access to the site owners private members data. This data, was then exploited by the hackers for their own nefarious reasons. The rest is history.
Now, I don’t think anyone really will want to hack any small business site like yours and mine to get at sensitive client data. I say this because very few of us small business owners have sensitive data on board (we are very small fish in a big ocean). However, some small business site owners may have sensitive data on their site – on a secure page on the site, or in a database.
Regardless, even if you don’t’ have sensitive data a hacker may be after, we are all susceptible to those hackers trying to use our sites for nefarious purposes. Hackers are notorious for using the average site for many reasons, some of which may include propagating religious information, trying to create and establish back-links on sites (mostly bad ones) for their clients who pay hackers to try and improve their site page ranking on search engines. Or, it can be as simple as trying to spread negative or despicable propaganda that shouldn’t be propagated in the first place, never mind being distributed from an innocent business owners website.
This is where a site owners online and off-line reputation could become irreparably tarnished.
So what’s a site owner to do? Firstly, do not ever take security measures lightly. Instead, be proactive and make sure your site security becomes a regular part of your site’s maintenance routine. Ensure you are monitoring site activity, both on-page (traffic), and any failed login attempts and/or password retrieval requests. Make sure your login credentials are secure by using strong passwords which you should realistically change at least once per month. Also make sure your FTP access is secure (talk to your web hosting support about this) with strong passwords also.
Also, don’t forget to make sure only those people you trust that should have or need to have site access, have that access. In other words, don’t hand out your login credentials to just anyone.
Finally, especially for WordPress sites, get a good security plugin and make sure all your plugins are updated, and the WordPress framework is up to date. Perform security measures at least monthly, and you will be doing what’s necessary to deter “the nasty” from getting anywhere near your site.