Since the last few months I encounter a lot of hacking attempts against my site. They are distributed so you can't simply block just one IP. 100k site requests per day are a normal thing if you don't protect anything. Given that your system is secured good enought, this still costs server CPU time and bandwidth. So we need to lock those guys out as good as possible.

There are some things you simply have to do to protect your site:

  • Remove the admin user!! This is very important since it's the main hack vector for many attacks. Always choose a custom user name for your admin account. Delete the admin user afterwards!
  • use a good password! No, 123 is NOT a good one.
  • Install a Web Application Firewall (WAF) like Akeeba Admin Tools
  • Password protect your /administrator folder with a .htaccess file
  • Protect you admin section with a URL appendix like /administrator?foobar. The admin tools mentioned above help you with that.

This works pretty good but it was not enough. Admin Tools grabs a lot of stuff so you see what's going on. Those guys still crawl my site and try to brute force the admin password. I don't even have this admin user anymore! I was not aware of any tool to stop this. So I wrote a stupid simple plugin to stop the page generation as soon as possible if somebody tries to login with the user name 'admin'.

You can download this plugin here: Admin Brute Force Stop Plugin. After you installed it you need to enable it. From now on it'll block all requests which target the com_users component and have the username=admin in the request.

If you habe other ideas just let me know.