Title: Attacks on my site via plugins Last modified: October 11, 2016 --- # Attacks on my site via plugins * [workinclasshero](https://wordpress.org/support/users/workinclasshero/) * (@workinclasshero) * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-vulnerabilities/) * _[ Moderator note: [moved to How-to and Troubleshooting](https://wordpress.org/support/topic/wheres-my-topic-gone?replies=1&view=all).]_ * Someone has been attempting brute force hack on my sites all weekend. I have wordfence setup to block incorrect usernames but somehow he/she is now attacking my newest site I just put up last week that may not even be indexed by google. It is a duplicate of a site and has all the same plugins so I am wondering if it is possibly a plugin that is causing this hacker to attempt to brute force my new site. This is like looking for a needle in a haystack I know but do you guy/gals have any suggestions? Here is my list of plugins installed: * A3 | Social Sidebar Akismet BNS Featured Category Contact Form 7 Contact Form DB Contextual Related Posts Google Analytics by MonsterInsights HiFi InfiniteWP– Client Jetpack by WordPress.com Jquery Validation For Contact Form 7 Nelio A/ B Testing Prizm Image Really Simple CAPTCHA Responsive Menu Pro Simply Exclude W3 Total Cache Wordfence Security WP-Mail-SMTP WP-Polls Yoast SEO * I have been considering changing my url for wp-admin to something else to see if that helps but I’m not sure if that will break anything. Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-vulnerabilities/#post-8272224) * I wouldn’t bother attempting to obfuscate the fact you have a WP site. In some cases it might help, but in many other cases it wouldn’t make any difference. This measure would fall under “security by obscurity”, which isn’t real security, though it might help on occasion. For recommended security measures that are actually effective, review [Hardening WordPress](https://codex.wordpress.org/Hardening_WordPress). Not all measures are for everyone, but if certain measures work for your situation and aren’t too onerous or difficult, then they’re likely worth implementing. * There’s all sorts of reasons how hackers find targets to attack. The mere mention of WordPress is sometimes enough. I have a completely static site the mentions WordPress a few times and it gets all manner of WP hack attacks despite the fact there isn’t a single form on the entire site. Just registering a new domain name seems to be an invitation for hackers to probe the domain’s site for vulnerabilities. * It seems all plugin vulnerability probes are for long ago patched vulnerabilities. If you’ve kept your plugins updated and they are regularly maintained by the authors, there’s not any reason for concern. Sure, there could be a zero day vulnerability, but that’s highly unlikely. * Brute force attacks do not leverage plugin vulnerabilities anyway. As long as all admin users use good strong passwords, there’s nothing to worry about from brute force attacks. Hack attacks happen, it’s part of having a website. Beyond having your security measures in place, there’s little need for concern. If you also keep good backups (you need to do this if you aren’t), and your DB does not contain anyone’s sensitive personal information, then there really is nothing to worry about. * Thread Starter [workinclasshero](https://wordpress.org/support/users/workinclasshero/) * (@workinclasshero) * [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-vulnerabilities/#post-8272312) * Thanks for the reassurance. I have wordfence setup pretty secure with firewalls, login attempts, etc. The biggest concern was to cut down on server resources being used, I know how hard a brute force attack is on a site with a password over 6 characters so I’m not too worried about a hacker actually gaining access. I’d like to share this script in case anyone else is having issues. [https://github.com/masterguru/antibot](https://github.com/masterguru/antibot) is a script that will cut down on brute force attacks, just add the script to the root of the site then use an include to add the script to wp-login.php. You will need to update it when wordpress updates though because it will be overwritten. * I’ve looked over hardening wordpress and going to watch a video by Brad Williams about security ([http://wordpress.tv/2010/01/23/brad-williams-security-boston10/](http://wordpress.tv/2010/01/23/brad-williams-security-boston10/)) but I think I’ve done just about all I can do. Thanks for the helpful advice. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Attacks on my site via plugins’ is closed to new replies. ## Tags * [brute force](https://wordpress.org/support/topic-tag/brute-force/) * [hacking](https://wordpress.org/support/topic-tag/hacking/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 3 participants * Last reply from: [garomans](https://wordpress.org/support/users/garomans/) * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/plugin-vulnerabilities/#post-8291189) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics