I have same problem and I found it has been discussed here:
http://wordpress.org/support/topic/plugin-better-wp-security-bypass-to-login-hide-or-hide-backend
Currently, I manually ban the IP who has 3x attempt to login. Hope the author of Better WP Security can fix it soon.
Hello, I have a quick fix if you want to try.
WARNING before you try it:
– I have try it on my website and it works, but I guarantee nothing.
– Don’t blame me if it breaks your website.
– Backup your website before you try, especially the .htaccess file.
Step 1
Save your .htaccess file to your local computer (using cPanel > File Manager or FTP)
Step 2
Open the .htaccess file using a text editor.
Step 3
Find these text:
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^.*$ /wp-login.php?blablablablabla [R,L]
</IfModule>
# END Better WP Security
Step 4
Change it to:
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^.*$ / [R,L]
</IfModule>
# END Better WP Security
Step 5
Save it back to your website.
Note:
– The text:blablablablabla is your secret key.
– Remember do backup before you try.
The disadvantage of using this trick is if you save your setting on Better WP Security, the text will be revert to the default.
Good luck.
Thanks for the fix.
On my site (using Chrome), the above fix seems to result in a recursion within .htaccess that ultimately resolves with a browser reported error. This doesn’t work well for me because it is where I get dumped off to after doing site updates & maintenance.
Using the following I was able to change the location to the default page for my site:
RewriteRule .* http://mydomainname.com%{REQUEST_URL}? [R=301,L]
I’m not proficient with .htaccess & regular expressions, so there must be a more elegant solution. Please exercise caution and use the previously mentioned precautions.
Hopefully this will be fixed in an upcoming release of the plugin.
@softblue:
Great alternative of the rewrite rule on Step 4.
Serious flaw, but this explains the ongoing attacks. Curious to see what the author has to say. For now I have to agree with Handoko and SoftBlue.
You can also just edit your .htaccess properties to 777, save a page of WP Better Protect, and put the properties back to normal. Check your .htaccess again, and it’ll be modified.