Support » Plugin: Wordfence Security - Firewall & Malware Scan » Locked out from website

  • Resolved Shah Ahmad Yusof

    (@shahahmadyusof)


    Hi,

    I have a situation where I have a lot of IP logging into my website. Currently, there have been hundreds of IPs that failed to log in and were blocked. But what really scared me was when some of these IPs managed to log in using my ID according to WordFence Live Traffic and they were from other countries. Please see this picture (A).

    From the beginning, I only used randomly generated passwords for all my websites which are more than 12 alphanumerics including symbols, uppercase, and lowercase letters as well as numbers. I also use 2-factor authentication by Wordfence. In addition, I also never use a username like “Admin”.

    I also never use any nulled themes or plugins. All themes and plugins have been downloaded and installed directly from the official WordPress repository.

    From time to time, over the past 1 week, I have been frequently blocked by Wordfence from logging into my website. Please see this picture (B). And once logged in, I look at the Wordfence logs in Live Traffic and realize that the IP being blocked from logging in is another IP from another country and not my IP. But I just don’t get why I also received a notification like a picture (B).

    For additional information, I use:

    • Webhosting: DigitalOcean.
    • Webserver: OpenLiteSpeed ​​v1.7.13 (latest).
    • PHP: v8.0.8.
    • WordPress: 5.8 (latest).
    • Theme: Hitmag v1.2.9 (latest).
    • Child theme: This is just to change some strings that are not automatically translated. No other coding.
    • Plug -ins:
    • Advanced Ads v1.27.0 (latest).
    • Duplicator v1.4.2 (latest).
    • LiteSpeed Cache v4.3 (latest).
    • Mashshare Share Buttons v3.8.0 (latest).
    • OneSignal Push Notifications v2.2.2 (latest).
    • Redirection v5.1.3 (latest).
    • Simple Author Box v2.42 (latest).
    • Site Kit by Google v1.39.0 (latest).
    • Wordfence Security v7.5.5 (latest).
    • Yoast SEO v17.0 (latest).

    What I’ve tried to do:

    • Scanning my devices for malware using Malwarebytes, Spybot S&D and Eset NOD32 (nothing found).
    • Restarting my devices, server and services.
    • Scanning using WordFence at least 15 times (nothing found).
    • Scanning my websites for malware using third parties such as VirusTotal, etc. (nothing found).
    • Clearing cache from my devices and server.

    My question is, has my website been hacked? Because at this point I didn’t find anything weird on my site other than what I found in pictures (A) and (B) only. Please advise what I can do in this situation. Thanks in advance.

    Best regards,

    Shah

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @shahahmadyusof and thanks for reaching out to us!

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    I want to make sure everything looks good in your diagnostic before I speculate anything. This will let me see your IP and the potential attacker’s IPs as well in private.

    Thanks again!

    Thread Starter Shah Ahmad Yusof

    (@shahahmadyusof)

    Hi @wfadam ,

    Unfortunately, I can’t send diagnostic reports through the WordFence plugin. I have tried setting up PHP mail before but it doesn’t work. Is there any other way for me to send it?

    Best regards,

    Shah

    Plugin Support WFAdam

    (@wfadam)

    Sure thing! Hit the Export button on the Diagnostic page and then attach it in an email to wftest @ wordfence . com with the subject “shahahmadyusof for WFADAM”.

    Let me know here when you have sent it.

    Thread Starter Shah Ahmad Yusof

    (@shahahmadyusof)

    Thank you for your reply. I have sent the diagnostic file as you requested.

    Thread Starter Shah Ahmad Yusof

    (@shahahmadyusof)

    Hi @wfadam

    Just checking up. Did you receive the email and attachment I sent before? Is there an update on this issue?

    Plugin Support WFAdam

    (@wfadam)

    Sorry for the delay @shahahmadyusof ! Also thanks for sending that information!

    It looks like your IP Detection might be incorrect which is causing the site to see every IP as the same IP, which would explain why you see successful login attempts from a location that is not yours. They are most likely you logging in but the site doesn’t recognize it correctly.

    I see you’re using Cloudflare, so what we can do is navigate to Wordfence > All Options > General Wordfence Options then select Use the Cloudflare "CF-Connecting-IP" HTTP header to get a visitor IP. Only use if you're using Cloudflare..

    This should correct the issue you’re seeing. A good way to test would be to change this option, then purposely attempt a bad login, so the Live Traffic logs it, then make sure it’s your IP that it logged.

    Let me know if this helps!

    Thanks again!

    Thread Starter Shah Ahmad Yusof

    (@shahahmadyusof)

    Hi @wfadam. Thanks for your reply. And thank you for the solution you suggested.

    I have been trying this solution for a day and seems it has fixed my problem. All of my websites are still blocking a lot of malicious IPs, yet it no longer blocks me from logging into any of my websites.

    Thanks again for your assistance. Please mark this ticket as resolved.

    Plugin Support WFAdam

    (@wfadam)

    Great news! Glad we could work together on this!

    Always feel free to reach out for assistance!

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.