Forum menu
Some suspicious activity on my WP blog - lots of new users mysteriously added.
Now deleted and I'm changing password, but it's not the first time this has happened.
My hosting co recommended a plug-in called Sucuri but I think this is $120/year and the blog is non-commercial.
I've seen a few references to CloudFlare - which apparently offers a free package.
I'm not a techie though, so thought I'd ask the experts here.
๐
Can users register? Are they automatically added or do you have to approve them first? Were the mysterious new users automatically approved?
My WP website got hacked once. My recommendation is keep the Wordpress software and all plugins up to date. Create a new admin privilege user (different username to the default admin username) then get rid of the default 'admin' user. Make sure the admin password is STRONG and different to any other passwords you use.
Advice on the Wordpress codex (possibly a bit too techy):
http://codex.wordpress.org/Hardening_WordPress
Don't know anything about WP or whether you can do any programming with it, but a simple question like 'What is the opposite of cold?' and a textbox for the answer might sort it out.
Alternatively could you generate two random numbers and require the sum to be entered into a text box.
Both of these assume some sort of registration process, obviously.
Simple, but spam bots shouldn't be able to get past it...
I should clarify, I'm talking about back end users.
Create a new admin privilege user (different username to the default admin username) then get rid of the default 'admin' user. Make sure the admin password is STRONG and different to any other passwords you use.
Sounds like a good idea, will look into it ta
Sounds like you've been hacked. In which case my original advice stands. New admin user with different username. Get rid of default admin user. Strong password. Keep the WP software, plugins and themes up to date.
Agree with all that. Have a regular user for posting content, you shouldn't need to use admin. Have an admin username that's just a random string of characters, with a long/strong password.
If your host can automatically patch Wordpress (& plugins) for you, do so. The updates are frequent and if you have to do it yourself you'll fall behind. If they don't offer, consider switching to one that does.
WP and plugins are all up to date.
Will try the admin thing.
No need for additional security plugins then?