Title: Admin lockout doesn't work anymore Last modified: August 31, 2016 --- # Admin lockout doesn't work anymore * [p4c](https://wordpress.org/support/users/p4c/) * (@p4c) * [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/) * Hi, * Latest release of ITheme Security * I’ve seen that the function : Banned ip when tried to log with “admin” account is not working anymore. * I’ve ton a connection of different IP that try to log in with “admin” account and are not lockout. * I’ve try to deactivate and reactivate this security option and it’s not better. * Could you help me ? * Thanks, * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/) Viewing 5 replies - 1 through 5 (of 5 total) * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/#post-7333346) * [@p4c](https://wordpress.org/support/users/p4c/) * First thing to check is on which web server (and version) your site is running. * You can find this info in the iTSec plugin Dashboard page. Scroll down to the** System Information** metabox, **Server Information** section, **Server Type**. * The Web Server **version** is probably not displayed as a good hosting provider will prevent this info from being published. * dwinden * Thread Starter [p4c](https://wordpress.org/support/users/p4c/) * (@p4c) * [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/#post-7333376) * Hi, * It’s running on Apache version 2.4.10 * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/#post-7333394) * [@p4c](https://wordpress.org/support/users/p4c/) * Ok good. * Next we need to make sure you have **enabled** all the required settings for users to be banned permanently in the .htaccess file. So here we go: - Global Settings – **Write to Files** - Global Settings – **Blacklist Repeat Offender** - Banned Users – **Ban Users** - Brute Force Protection – **Enable local brute force protection** - Brute Force Protection – **Automatically ban “admin” user** * If any of these settings is not currently enabled, enable them now. * If banning is still not working after enabling all the required settings check your web server error_log for any errors. * Note that when banning an IP the iTSec plugin will normally add the following lines to the .htaccess file: * > # Ban Hosts – Security > Settings > Banned Users > SetEnvIF REMOTE_ADDR “^192\. > 168\.111\.11$” DenyAccess SetEnvIF X-FORWARDED-FOR “^192\.168\.111\.11$” DenyAccess > SetEnvIF X-CLUSTER-CLIENT-IP “^192\.168\.111\.11$” DenyAccess > > Require all granted Require not env > DenyAccess Require not ip 192.168.111.11 mod_authz_core.c> Order allow,deny Allow from all Deny from env=DenyAccess > Deny from 192.168.111.11 * By default an IP will be banned after 3 (temporary) lockouts. So it takes 3 invalid login attempts with the admin username to ban the IP. Any other user 3×5=15 invalid login attempts. * dwinden * Thread Starter [p4c](https://wordpress.org/support/users/p4c/) * (@p4c) * [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/#post-7333398) * Hi, * Thanks, * Allow iThemes Security to write to wp-config.php and .htaccess : Activated Enable Blacklist Repeat Offender : Activated Log Type : Database Only (you suggest file, is it necessary ?) Enable ban users : Activated Enable local brute force protection: Activated Immediately ban a host that attempts to login using the “admin” username: Activated * I’ve several line that show that banner users is working : * # Ban Hosts – Security > Settings > Banned Users SetEnvIF REMOTE_ADDR “^5\.105\. 195\.148$” DenyAccess SetEnvIF X-FORWARDED-FOR “^5\.105\.195\.148$” DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP “^5\.105\.195\.148$” DenyAccess And * Order allow,deny Allow from all Deny from env=DenyAccess Deny from 5.105.195.148 Deny from 37.130.227.133 Deny from 41.79.60.154 Deny from 46.119.125.177 …. * on the error_log file, i don’t see any error, just : * ``` [Fri Apr 29 07:32:04.896837 2016] [authz_core:error] [pid 3735] [client 210.213.148.170:11540] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 07:36:46.041697 2016] [authz_core:error] [pid 3788] [client 182.56.248.139:21648] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 07:38:03.117955 2016] [authz_core:error] [pid 4084] [client 46.236.154.82:55890] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 08:22:10.974403 2016] [authz_core:error] [pid 6370] [client 155.133.82.108:43837] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 08:33:16.641543 2016] [authz_core:error] [pid 7461] [client 78.48.39.184:54980] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 09:00:50.710309 2016] [authz_core:error] [pid 9700] [client 92.85.162.221:49986] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 09:13:17.336683 2016] [authz_core:error] [pid 9916] [client 41.200.247.67:41150] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php [Fri Apr 29 09:50:41.384263 2016] [authz_core:error] [pid 12945] [client 93.157.175.168:51366] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php ``` * And i’ve got maybe 300 request to try to log with admin account in maybe 10 minutes. So i think something is going wrong. * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/#post-7333412) * [@p4c](https://wordpress.org/support/users/p4c/) * > Log Type : Database Only (you suggest file, is it necessary ?) * I didn’t suggest anything related to this setting … 😉 * Ok, let’s go back to the beginning of this topic. What makes you think the banning of IPs that try to login with “admin” user is not working ? * Based on the info provided in your last post banning IPs seems to be working fine. The error_log clearly shows many IPs trying to access the xmlrpc.php file but being denied access. Probably because these IPs are listed in the Banned Users section of the .htaccess. * Do the IPs from .htaccess (Ban Users) and error_log correlate ? * I think you are suffering from an XMLRPC type Brute Force Attack which is distributed over many many many IP addresses. So the iTSec plugin is doing its work but login attempts as “admin” user keep hitting your site from different IPs … * If your site does not need XMLRPC disable it in the WordPress Tweaks section of the iTSec plugin Settings page. That will take care of the XMLRPC type Brute Force Attack. * dwinden Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Admin lockout doesn't work anymore’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351) * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) * 5 replies * 2 participants * Last reply from: [dwinden](https://wordpress.org/support/users/dwinden/) * Last activity: [10 years ago](https://wordpress.org/support/topic/admin-lockout-doesnt-work-anymore/#post-7333412) * Status: not resolved