jimoe

Yes, changing our site provider is on my fun list. Their tech support has degraded noticeably: email only, 3 hour to 3 day response times. They do not refund any “unused” subscription fund if I terminate service before the end of the annual agreement.

Hmm.
Thank you.

I wrote a bash script to handle this. It have cron run the script once a week.
– It assumes ~/.mylogin.cnf is defined for authentication.
– It creates a list of busy hackers.
– It deletes entries older than 2 weeks.

cd ${DST_DIR}
#
# Get a list of the most prolific offenders,
# more than 20 attempts in the last 2 weeks.
#
filo=”$DST_DIR/lockdown-ip-count-“date +%FT%H.%M.%S“.csv”
sqlcmd=’select count(t.login_attempt_id) as ip_count,t.login_attempt_ip’
sqlcmd=”$sqlcmd from dbname.wp_login_fails t”
sqlcmd=”$sqlcmd where datediff(now(), t.login_attempt_date) < 15″
sqlcmd=”$sqlcmd group by t.login_attempt_ip having (20 < ip_count)”
sqlcmd=”$sqlcmd order by ip_count desc;”
# echo $sqlcmd
# exit 0

mysql –login-path=sohne_admin -e “$sqlcmd” > $filo
rtn=$?

# echo “mysql return value [$rtn]”

#
# Clean the database tables.
#
if [ 0 -eq $rtn ]; then
sqlcmd=’DELETE FROM dbname.wp_lockdowns WHERE 14 < datediff(now(), dbname.wp_lockdowns.lockdown_date);’
mysql –login-path=sohne_admin -e “$sqlcmd”
rtn=$?
# echo “mysql return value [$rtn]”

sqlcmd=’DELETE FROM dbname.wp_login_fails WHERE 14 < datediff(now(), dbname.wp_login_fails.login_attempt_date);’
mysql –login-path=sohne_admin -e “$sqlcmd”
rtn=$?
# echo “mysql return value [$rtn]”
else
echo “Login Lockdown data collection failed.”
echo ” Login tables not cleaned.”
fi
exit 0

What is the “WordPress slack channel” and how do I access it?

The list of roles is missing Contributor, and has Administrator twice.

I am inferring from your statement that a roles is removed from the list if there are no users with a role. What about the repeated Role?

A response next week, then?

Aside: The stated problem, not receiving notifications, has resolved itself.

I missed your first reply.

What is WordPress slack?

Never mind. Operator error.

I just discovered the reason: A “sucuri.log” file already existed in the target directory. (Don’t ask.) After erasing the file and adding the path again, the settings became enabled.

There are also almost 17,000 entries in wp_lockdowns. Can this table be emptied as well?

Not a good solution…

I de-activate the Yoast SEO plugin.
Periodically I activate it to let it do its stuff.

The Pro version allows to ignore specific events and messages.

> then you did not properly clean up the earlier hack vector.
>
No doubt. So far, I have not found the vector.

We keep having someone(s) breaking into our site. We have followed the hardening suggestions, scanned for malware. Still hacked.

They always break in as administrators. If I could prevent new users, problem solved?

I did have multiple pages published; no request about static or frontpage.

The theme customization, though, dose have a setting for selecting the home page. That worked.

Been there. Done that. Didn’t help.

I found where that page was located.

I have become so used to all pages being dynamically allocated that looking in the root directory of the website did not occur to me right away. Removing that directory cleared that issue.

Note to Mr Stern: I have followed various guides and security measures. The way the site got hacked was outside of WordPress. After acquiring “root” access for our account, everything else was easy.

Ah. I see what has happened.

The plugin “User Activity Log” adds an activity entry every time a page is visited, and Yoast SEO adds an OG or Twitter entry.

Hmm. Choices: Have the additional meta entries and 1000s of activity log entries. Or neither.