I turned on this option recently. Looking at my logs, I see that it works fine to ban users who use the login name “administrator” but not the name “admin.” iTSec should change this — there are many more attempts using “admin” than any other login name.
The best solution would be to let US make a list, one per line, in a text box, so we can include ANYTHING we see in our logs and all of the iterations, like:
Administrator
administrator
admin
Admin
SysAdmin
sysadmin
etc
I have pages upon pages of admin users in the banned list and no easy way of deleting all of them. The same goes for IP addreses. There is no easy way to remove all of the IP addresses or user names from the banned list. This point may be moot as far as I am concerned. I have had nothing but problems with this plugin. It is no longer saving changes, it reports 404 errors on its self, it reports Chamod changes when none are needed.
I don’t try to ban all the offending users but I do scan the logs for anyone who seems particularly persistent. Also, over time I’ve tightened up the lockout routine. Archerdata is right, though, the best solution is the option for a self-generated list as we already have for IP addresses.
Is there any way of removing all the banned usernames aka the 5 or 6 screen fulls of “admin” users along with the 5 screen fulls of IP addresses that the plugin has banned without having to go line by line checking each and every one? Is the plugging just creating a flat list of usernames and does not check to see if that username is already in the list?
I am trying hard not to turf this plugin since there is a serious issue with it not being able to save any changes.
@archerdata (original post) and @yinn (second post)
“The log has several thousand attempted ‘admin’ logins. Aren’t these supposed to be banned?”
Not if the ip address differs with every attempt …
But more importantly, just ticking the “Enable local brute force protection” checkbox and then enabling the “Automatically ban “admin” user” checkbox doesn’t mean it will work as expected …
It will only work properly in combination with 3(!) other settings enabled … which complicates things a little bit …
For proper functioning the following 3 settings also need to be set:
Global Settings
Write to Files [x] Allow iThemes Security to write to wp-config.php and .htaccess.
Blacklist Repeat Offender [x] Enable Blacklist Repeat Offender
Banned Users
Ban Users [x] Enable ban users
If any of the 3 above mentioned checkboxes are not enabled the “Automatically ban “admin” user” setting will not immediately ban the ip address in case anyone tries to login using the admin username.
(Instead a temporary lockout on the ip address AND username (admin) will occur).
(There will also be 3 entries added to the log. 2 “Host or User Lockout” entries (ip address and admin username) and 1 “Invalid Login Attempt” entry).
When all the necessary checkboxes are ticked the ip address is banned immediately.
(There will only be a temporary lockout on the username (admin))
(And there will only be 2 entries added to the log. 1 “Host or User Lockout” entry (admin username) and 1 “Invalid Login Attempt” entry).
An extra complication is possible when using Apache 2.4.
As the iTSec plugin is still using Apache 2.2 style directives in the .htaccess file you need to make sure the mod_access_compat module is loaded in Apache 2.4 to ensure backward compatibility.
Otherwise the lines added for banned IP’s in the .htaccess file will break your site …
If the above info answers the question asked in the initial post of this topic please mark the topic as ‘resolved’.
dwinden
I am using several security plugins in the sites of which iThemes Security plugin is one of them. I never allowed iThemes to be able to write to the .htaccess or wp-config.php files as I am afraid it would lock out the site completely because it thinks its the only security option installed in WordPress.
As such I have decided to disable the user and ip blocking options in iThemes Security and rely on another security plugin to handle that process.
Even after disabling the banning of IPs the plugin is still showing screen after screens of Locked out hosts which is false since the plugin does not have rights to write to .htaccess nor is it suppose to ban hosts.
There are over 1100 of these locked out hosts whose bans shortly expire or expire in days or weeks.
What option is generating these locked out hosts?
Why are these IP addreseses for the locked out hosts not showing up in the .htaccess rewrite rules in the plugin’s dashboard? When one manually inserts a banned IP there is a series of corresponding entries in the .htaccess rewrite rules.
Seems that the plugin uses the .htaccess for some bans and not others. Is this correect?
