how are you geeting on with this problem now trinibabz?
I am using the same plugin and suddenly im getting a lot of site lockout notifications due to bad login attempts from russia and neighbouring countries.
my password is strong and i have backups of my site so should i be worried or should i be doing something?
Hi notepade, I clicked on the IP address that came with the notification and found am email with @columbucommunications.com that’s from a cable company in my country. So I sent the person who I learned was a dude who worked at the company and sent him a nice threatening letter, threatening to telll his employers that he was using company time and equipment to hack my site. Even sent him screenshots. I also made him out on my faceboo page whichI am sure he stalks. And just like that the notifications stopped. Like magic lol. Seems he values his job over trying to hack my website.
Hey Trinibabz,
That was a neat trick, good it worked for you!
Unfortunately, I keep getting ‘File change notice’ with weird info I don’t follow. Like ;Memory =1.25. Huh? That amidst thousands of lockout notifications. Yes, that’s right, I have nearly 2,000 log pages almost entirely comprising of bad log-in attempts since I installed this security setup.
I have Brute Force protection enabled, I set my admin site to block all log-in attempts whenever I’m sleeping and I even enter the first three digits of ISP hosts making attempts in my ‘permanent ban host’ setting, i.e. host # 186.*.*.*–largely from China, Russia, Ukraine, Lithuania and Amsterdam and to a lesser degree from other places all over the world. Some of the host look-ups I’ve done point to uninhabited places in the middle of what could be Siberia. Very funny.
Anyway, those wild-card stars make any host # starting with the first three # get blacklisted. It’s helped a little to do all that but I still feel uneasy with the undecipherable ‘file change notice’ that show up in my log daily.
WTF? Does anyone know what goes with all of this? I’ve downloaded the free guide this Security development group created. Will report back again if I find any pearls of wisdom there-in.
If this keeps happening, I might feel I have to resort to shutting down my admin after every time I finish working on it, leaving one tiny window of time that I would be able to get back in to change my shut down settings. Or whitelist my ISP before I quit, then do the lockout. That would be a pain.
Jon
(@omanhene)
I am in the same boat, getting tons of site lockout notifications, and cannot keep up with adding all the IP’s into the blacklist.
I am wondering if there is a way to block users. I don’t think “user agents” is what I want – I dont understand how to use that.
I do not have a WP username of ADMIN, so is there a way to block anyone from trying to use that name? About half of my site lockouts come from someone just guessing that there is a username of ADMIN, the rest are actually using a valid username.
Hey Jon–
Admittedly, the ‘blacklist’ routine is a real pain, especially with the flimsy setup in the existing dashboard. Having to go to ‘log’ to get the ISP info from all the bad log-in attempts, then flip over to ‘settings’ to scroll down to the blacklist area is lame as all get-out. But someone has made a request to improve the blacklist interface. If you are willing to go to https://trello.com/c/EDSRmJvT/41-start-here-what-to-expect-how-to-request-features
to sign-up for yet another account which allows you to vote on suggestions needed to make Security better, you can vote on this issue, make your own suggestions and more.
Here’s my workaround to reduce the pain of blacklisting–
1) go into ‘logs’, write a list in my note book of only the first digits before the first ‘.’ on the left. Most of the time, I end up with a list of mostly 3-digit entries, occasionally it’s 1 or 2, depending on what country the creeps originate from. It’s pretty quick to create a list like this.
2) go over to the ‘settings’ tab and scroll down to the ‘blacklist’ area. Only enter the column of numbers you’ve just recorded in your notebook.
3) When you’re done entering add the following to the end of one of your listed ISP prefixes– .*.*.*
This creates a “wildcard” appendage for any of your listings that carry it. That means that any computer with an ISP beginning with your listed prefixes will be banned. All you have to do is copy your entered ‘.*.*.*’ and rip through your list with your down arrow, pasting in your wildcard notation to every listed item you’ve entered in your blacklist.
This whole damn thing is tedious and is wrecking my content development time but it’s so necessary to blacklist. And I am finding that it’s helping somewhat, along with setting my ‘Away Mode’ feature (in the ‘Settings’ tab) for as long an interval is possible–basically whenever I think I’ll be sleeping or definitely not working on my website. I note in my notebook the allowed log-in hours for my dashboard once I’ve set ‘Away Mode’. I’ll whitelist my current ISP when I’ve set my Away Mode whenever possible. I travel a lot so this isn’t always sensible but I whitelist my location whenever I can.
I say all this is helping because my bad login attempt notices have reduced from upwards of 100 daily to just a handful. But there is still some bastard who’s getting in and effecting a ‘Memory’ file change. To what end, I don’t know. I wish this Security package would be thoroughly documented so we can understand what’s happening to our infiltrated sites. I’ve made this suggestion at the link I provided here. Go on over and vote for documentation if you agree.
Good luck.
