@yaron Guez
Chris left iThemes in Feb this year to pursue other opportunities …
Are you using 2FA (Two Factor Authentication) from another plugin or are you using the iTSec Pro plugin with the Pro 2FA feature enabled ?
The lockout_user field filled in in the wp_itsec_lockouts table definately points to a user lockout. When the lockout occurs you will probably see the user lockout message:
You have been locked out due to too many invalid login attempts.
dwinden
@dwinden,
I’m not familiar with the iTSec Pro plugin. We’re using this standard Google Authenticator plugin:
https://wordpress.org/plugins/google-authenticator/
Any idea why a user would be locked out after only one attempt and how we can prevent this from happening?
Sounds like the username could be getting locked out.
If you go to
security -> Logs
then do
select filter: “Invalid Login Attempts”
Check for your Username and IP.
How many attempts do you see from each? Where are they coming from?
Normally when this happens to me its because the site is under brute force attack.
Never have the user name ‘admin’, all hackers know the default WordPress user name; iThemes Security has an option to change it for you.
If nobody knows your login name, and nobody can guess it, they can’t brute force attack your login.
So, don’t display the user name anywhere on the site. In the Profile page (/wp-admin/profile.php or /wp-admin/network/profile.php), for Each user, set the Nickname and set “Display name publicly” as the nickname.
@lernerconsulting
Good advice! To add to it:
http://www.example.com/?author=1 <- adding ?auther=1 can be used to find the user name. While it shows the nick name on the page the actual username is shown in the URL.
To prevent hackers from exploiting this I strongly recommend adding this to your .htaccess file:
# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://yourdomainhere.com/? [L,R=301]
*Update: I’ve dropped a line to the folks at wordpress about the username showing in the URL and not the nick/display name.
supawiz6991: I have Every user displaying the nickname, and my ?author=1 does redirect to the nickname, not the login name. And, I’m going to add your .htaccess code, nobody should ever ask by author id (clicking the Author link on a post will still work, it has the nickname in the URL).
@ supawiz6991, the username is getting logged out but only after 1 attempt instead of the 10 that it’s set to.
We don’t use username of admin on any site.
We also don’t display username on the site anywhere.
Any other ideas?