Support » Plugin: BulletProof Security » Locked Out

  • Resolved mco5044

    (@mco5044)


    Since installing BPS Security, it keeps locking out my admin username on http://mycavetools.com

    I tried changing the password on the username, but that didn’t work either. It looks like robots keep trying to login with my username and the plugin is locking it down. That’s great, but it should go on IP address because otherwise I keep getting locked out for hours on end.

    Each time I finally log in, I unlock the username and then it happens all over again. I’m at the point where I’m about to uninstall because it’s too much hassle

    https://wordpress.org/plugins/bulletproof-security/

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author AITpro

    (@aitpro)

    You want to take care of this permanently so that your site does not get hacked eventually. If you do not take care of this permanently and do nothing then it is only a matter of time until your WordPress password will be cracked and the hacker will log into your site as an Administrator and do whatever he/she wants with your website.

    Are you using the default WordPress “admin” username/user account? If so, create a new Administrator username/user account. Make sure that you change the role to Administrator. Log out of your site and log back in with the new Administrator account you just created and then delete the WordPress default “admin” user account. Choose to have all posts associated with your new Administrator user account.

    See these help posts links below for additional things that you can do to protect your login page and website from being hacked:

    http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
    http://forum.ait-pro.com/forums/topic/user-account-locked/
    http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/
    http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/

    Also this is very neat plugin that will protect your login page: https://wordpress.org/plugins/rename-wp-login/

    Plugin Author AITpro

    (@aitpro)

    Assuming all questions have been answered – Thread has been resolved. If you have additional questions about this specific issue please post them. Thanks.

    mco5044

    (@mco5044)

    Hi,

    We are not using “admin” or anything similar like index as the admin account. It is a regular username. I’ll try protecting the login page to see if that works

    Plugin Author AITpro

    (@aitpro)

    FYI – it took me 3 guesses/tries to guess your Administrator user account – bots do this automatically.

    I tried variations of your website name. The user account name is: cave tools

    The Login error message gives away that i guessed correctly.

    ERROR: The password you entered for the username cave tools is incorrect. Lost your password?

    Secure Usernames are just as important as secure passwords.

    Example Secure username: b4x8t7u5z

    Plugin Author AITpro

    (@aitpro)

    BPS Login Security allows you to change the Login error messages so that do not display anything useful to a hacker, but in this case you need to create a secure Administrator user account since after bots check the most commonly used “administrator” user account names, they start trying variations of the site name next and then move on to other obvious/known vectors.

    mco5044

    (@mco5044)

    The cavetools username is actually only an author level user, not an admin. Point taken though about ease of guessing.

    It is a completely different username that is the admin and getting locked out.

    I still haven’t been able to log in since yesterday because I keep getting locked out and I dont feel like going through the hassle of deleting your plugin via ftp. Once I get in, Ill change the login page and the admin username and hopefully that will work

    Plugin Author AITpro

    (@aitpro)

    You don’t need to delete a plugin to temporarily turn it off/disable it via FTP. Just rename the plugin’s folder. ie /bulletproof-security renamed to /_bulletproof-security. Log back in and then using FTP rename /_bulletproof-security back to /bulletproof-security.

    Plugin Author AITpro

    (@aitpro)

    Also you should have a second Administrator login account that is ONLY used for logging into the site and NEVER used to create Posts. By NEVER creating a Post with that second Administrator account and ONLY using it to login to the site then that Administrator user account will NEVER be displayed publicly on the frontend of your website in Author URLs and will NEVER be locked.

    Plugin Author AITpro

    (@aitpro)

    Example: mycavetools.com/author/iannuzzi/

    This user account is exposed publicly in the Author URL. I assume this is an Administrator user account.

    Display the WordPress admin or editor username

    mco5044

    (@mco5044)

    That is another author account haha but point taken. I appreciate all of your advice and will implement your suggestions

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Locked Out’ is closed to new replies.