Adventure | WP

WordPress: How To Stop Hacker & Creepy Crawler Spam Attacks

Block Hacker & Spammer Attacks

Recently I discovered how to setup an enhanced Real-Time hacker and spammer security solution, and it’s totally Free. It creates a “trap” for malicious hackers, spiders, bots and crawlers.

If you want to take a huge byte out of resource robbing creepy crawler spam bots and human hackers alike, this article will provide easy instructions about how you can setup this security trap to guard against attackers on any WordPress site.

See Real-Time blocking in action… It really works!

Did You Know?

These monsters are responsible for a huge number of attacks on your site as well as mass Spam User Registrations!

    What It Can Do

  • Block and lockout malicious crawlers, hackers and bots.
  • Prevent auto bots from posting comments if you require registration.
  • Stop automated bots from making posts.
  • Block / Lockout malicious human attackers and hackers.
  • Prevent re-registration of deleted spam users.
  • …and much more!

Effective Security Against IP Rotation Spoofing And Forging

While nothing can stop, block or lockout 100% of hackers and spammers, this security combo trap is able to lock-out a large percentage of creeps and humans having bad intent. Even those who are using rotating IP’s, spoofed IP’s and even visitors using forged IP addresses. The IP is not locked out permanently but long enough for most hacksters and spam-misters to give up and move-on to another potential victim.

I’m not trying to sell or peddle anything here. This trap is a combined solution I put together that helped me immensely so I thought I would share it with others. It immediately started blocking malicious spiders, crawlers, potential hackers, locked-out deleted spam users and bad bots before they could do damage, login and/or re-register.

The Epidemic

Even if you just have one WordPress website, sooner rather than later, your site will become prey for countless human hackers and the never ending streaming plague of spamming hacking crawling spider bots; the scourge of the web.

You see, whether or not you have registration and/or comments shut down the creepy crawler spam bots continue their spider-like activity of trying to hack, register, leave comments, do trackbacks and crawl your site, page after page, at lightning speed looking for vulnerable URL’s and user names to exploit. If they only find one user name they assume it belongs to the administrator or a high level user of the site and then use it for an attempted log-in with the belief that if successful they can carry out their missions unobstructed. Otherwise they will try the username “admin” and any number of user names associated with content found on your site. If you have this trap setup properly then that malicious crawler or human will immediately get blocked. Legitimate crawlers and bots are never programmed to do this.

Crawler-bots can and will automatically register many thousands of users. Then they visit often dropping spam comments and posting poorly written spun content until they overload and break your site.

Unless you have a more powerful than average hosting plan it is likely they are already slowing down your site by stealing valuable server resources of bandwidth, CPU, ram memory and the number of concurrent connections your hosting account can support.

These bots can cause abnormally high page load times and trigger temporary denial of service to legitimate visitors.

Unfortunately, no single solution seems to work very well and enterprise level solutions are expensive, making them prohibitive for the vast majority of owner-webmasters.

Invisible and Silent Criminals

One of the problems we face when trying to stop this plague of humans and bots is we don’t see them coming and we don’t know who they are before or after the damage is already done.

However, with the right type of security plugins we can identify a small number of them before and a much larger number after. But this really falls short and takes a lot of hands-on personal time on our part to monitor, analyze and manage these free security solutions in helping to stop these criminals.

Unfortunately most of our efforts will only guard against possible future visits after the initial damage is already done. We become forever trapped in a cycle of personal time wasting involvement if we are to guard against future bots and human attackers.

The Admin Trap

Let’s set an automatic trap that catches a large number of both humans and bots in the act… before they do their damage!

This particular trap is based on the premise that most ill intentioned humans and crawlers test for the ‘admin’ user. Most wicked human spammer-hackers just can’t resist doing this and it seems that the majority of nasty crawlers are programmed for it. These crawlers are also responsible for bulk spam registrations and automated spam bot user log-ins. So when you block and kill a spider you also block a bunch of future spam registrations.

Using free WordPress security software plugins and painstaking observation I learned that attempting to login as administrator is one of their fist malicious activities when landing on a website. Almost all will try to login to WordPress sites as the administrator user, which by default installs the user “admin” and/or using the administrator’s “nickname”.

We can catch and stop a large number of these malicious visitors before they do damage by capturing and using their IP address against them using some specific security action rules found I found in the Wordfence Security plugin for WordPress combined with changing the name of the WordPress default administrator user. Then I made sure to give the new administrator user a nickname. A recommended security practice is to make sure all users create and use public nicknames rather than their actual user names.

Steps To Set-Up The ‘Admin’ Security Trap

    Step 1

  • Install the free or pro version of the Wordfence Security plugin.
    • Go to Wordfence options. Most of the best action options are pre-selected by default but you must manually select several additional optional actions as part of creating the “Admin Trap”.
    • You might want to turn-off automatic scanning because it can frequently use a lot of server resources while in action.
    • Adjust the “Firewall Rules” as you feel is best for your site.
    • Under “Login Security Options”
      1. 1. Make sure you limit login attempts. I am using 3 login failures and 2 password recovery attempts.
        2. I am counting failures over 30 minutes because I want as many as possible deleted spammers and creepy bot users to get locked out next time the crawler or human spammer comes back.
        3. IMPORTANT: Select a long lockout period. I am using the max of 60 days.
        4. IMPORTANT: Put a check in the box for “Immediately lock out invalid usernames”.

      **Note: Items 3 and 4 above are critical to creating the trap.

    Step 2

  • Change (rename) the admin user to whatever works for you. To make it easy to remember I just added a couple of initials to the original admin name. Caution, do not change the password at the same time. The administrator username “admin” is located in the WordPress “wp_users” database table for your specific site. You can easily access and edit it directly using, “phpMyAdmin”. This database administration tool is found in most hosting account management panels.
  • Alternately you can install a “Rename Admin” plugin to accomplish the task. I have used both methods. After the change you can delete the plugin if desired. The recent plugin I used for this had not been tested with WordPress 4.0 but it worked just fine.
  • Important!… log into your WP admin area as administrator using your new administrator username. Go to “Your Profile”. Give yourself a public nickname (alias or pen name) that is different than your new admin user name. This is part of the sucker trap. When any user tries using the nickname to login they will instantly get blocked and locked-out.

From this moment on when the hackers and spammers, humans and bots, visit your site(s) this security software configuration will catch, stop and automatically block them for relatively long periods of time.

One Last Security Tip

So immediately prune / delete your spam and zombie users (users without approved posts or comments) as well as spam comment users. Also, optionally close user registrations and/or comments. Spammers and auto bot registered users generally don’t use or have nicknames associated with their profile. Many of them also have impractical to use or remember email address.

With this security trap you can not only stop, block and deter crawlers from future crawls and logins, you can also stop, block and deter returning human spammers also. It works because anyone trying to login using a non-existent user name automatically gets blocked and locked out based on their IP address, meaning they cannot even re-register for up to 60 days – long enough that they may go pick on some other website and scratch yours off their list.

Now you have it – “The Hacker Spammer Admin Trap”.

Need an extra payroll day?

Continue Reading