Support » Plugin: iThemes Security (formerly Better WP Security) » Hundreds of lockout notifications trying to login as “admin”

Viewing 7 replies - 1 through 7 (of 7 total)
  • I think something is broken inside of the plugin.

    My admin user name is not “admin”, and I’m confident people aren’t trying to log on with it continuously every day. But I’m hammered with Site lockout notification e-mails, and am often prevented from logging in to my own website because of the plugin.

    I don’t know if there’s a conflict with another plugin, or if some other stuff is afoot.

    Suffice to say I’d like to get this sorted too. I like knowing that I have more security, but the constant warning e-mails that seem unrelated to any real life activity and being locked out of my own website (unless I disable the plugin using FTP), is getting to be annoying.

    Eivind

    Yes, my username is not “admin” and have changed the url login and i still get hundreds of notifications trying to login as “admin”. It makes me think the website is not secure, plus it is very annoying!

    Russell

    (@russellcunning)

    None of my sites have ‘admin’ as a valid user. Attempts to login a ‘admin’ are immediately permanantly locked out. I have had lots of attempts to log in as ‘admin’ blocked by i-Themes Security, and I’m confident that they’ve been locked out permanently.

    I have changed the login slug to a random set of numbers and characters, but sadly few special characters work in the login slug (as it is part of a URL). Within 12 hours of changing the login slug, I get more attempts to log in as ‘admin’.

    I also have two factor authentication, so I’m inferring that i-Themes Security locks out hack attempts as soon as the hacker inputs ‘admin’ and whatever password, before the TFA kicks in. Is that correct?

    Are these hackers using password brute-force attacks to find the login slugs? Is there anything else I can do? I can’t understand how they can find the login page so quickly.

    Russell

    (@russellcunning)

    Just adding this because I forgot to tick ‘Notify me of follow-up replies via email’

    Is there anyone out there from iThemes Security that can answer this?

    I had a similar problem and couldn’t understand it until I saw another thread. These logins are coming from xml-rpc. Have you disabled it? Have you limited multi-call? xml-rpc allows a user to send “packets” of logins unless you specifically tell it not to do so. I had the same issue. Tons of “admin” logins even though I had ban admin checked. Where were they coming from? You guessed it, xml-rpc.

    Our response was two-fold.

    1) We limited multi-call abilities in xml-rpc.

    function remove_xmlrpc_methods( $methods ) {
        unset( $methods['system.multicall'] );
        return $methods;
    }
    add_filter( 'xmlrpc_methods', 'remove_xmlrpc_methods');

    2) I developed a custom rate limiting plugin. I won’t divulge details on that piece, but the multi-call function above may be a big help to you.

    Here is the article that helped me discover my xml-rpc issue.
    https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/

    • This reply was modified 6 months, 2 weeks ago by  caseyctg.

    By the way, there is a multi-call option under “wordpress tweaks > Multiple Authentication Attempts per XML-RPC Requests”

    Rather than trying the function above, see if setting that dropdown to “block” helps.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Hundreds of lockout notifications trying to login as “admin”’ is closed to new replies.