WordPress.org

Support

Support » Plugins and Hacks » BulletProof Security » [Resolved] admin locked out

[Resolved] admin locked out

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author AITpro

    @aitpro

    Yep, there is another increased surge/wave of Brute Force Login Attacks going on again right now. We are getting slammed with emails from folks about this. We have created this Forum Topic below, which has some additional methods you can use to protect your site. More specifically what you can do about protecting publicly displayed usernames / user accounts / Login names / User ID’s on your website.

    All Login IDs, user accounts, login accounts locked out

    Plugin Author AITpro

    @aitpro

    Oh and to get back into your website use FTP or your web host control panel file manager, rename the /bulletproof-security plugin folder to /__bulletproof-security so that you can log into your site. Once you are logged in then rename the /bulletproof-security folder name back to its correct folder name. Then do the recommended step of creating an additional Admin user account that is NEVER used for posting posts and is ONLY used for logging into your site.

    Thank you.
    Unfortunately for me we have a community site with member pages, so I’m unable to hide my admin account. Strangely though the other accounts aren’t getting brute-forced. I did create a backup admin account though, and the passwords are all super strong.

    Like clockwork my account is getting locked every hour. I have it set to lock after 3 attempts.

    I’m using another activity monitoring plugin which shows me the attempted password. They are going through the dictionary.

    Plugin Author AITpro

    @aitpro

    Yep, login attacks are usually automated. Have you tried using the this Brute Force Login protection code below? On our sites this blocks around 200,000 login attacks per month (around 80% – 90%). A large majority of these automated login attacks use the HTTP/1.0 protocol.

    Protect Login Page from Brute Force Login Attacks

    # BRUTE FORCE LOGIN PAGE PROTECTION
    # Protects the Login page from SpamBots, HackerBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ - [F,L]
    Plugin Author AITpro

    @aitpro

    Our BuddyPress/bbPress Forum site draws the most attention from hackerbots & spambots. We are using our JTC Anti-Spam / Anti-Hacker feature, which is basically a beefed up CAPTCHA plugin. If you are looking for free plugin alternative then install the SI CAPTCHA Anti-Spam plugin, which should significantly reduce the number of login form attacks.

    Plugin Author AITpro

    @aitpro

    Any luck?

    Yes, that stopped them cold, thanks!

    Plugin Author AITpro

    @aitpro

    Which things did you do? Just the Brute Force Login Page protection code or both the code and a CAPTCHA plugin?

    Plugin Author AITpro

    @aitpro

    Resolved.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Resolved] admin locked out’ is closed to new replies.
Skip to toolbar