Support » Plugin: iThemes Security (formerly Better WP Security) » Nonstop Site Lockout Notifications – How do I turn off this email?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Danny Santoro

    (@danielsantoro)

    Automattic Happiness Engineer

    Nevermind – the ignore box wasn’t staying checked, so I disabled a caching plugin, unchecked, and re-enabled… It should be fixed, I’ll come back if not. In the last hour I’ve gotten 110+ lockouts, so fingers crossed. 🙂

    @danielsantoro

    Ah despite the fact that the issue seems to be resolved still some piece of advise.

    I noticed the notification email reports a host as well as a user lockout (admin).

    So the lockout notification emails are probably the result of invalid attempts to login with the admin account.

    The iTSec plugin includes a feature (part of the Brute Force Protection feature) that immediately bans hosts trying to login using the admin account.

    So it looks like this feature is not activated or is not properly configured in your env.

    Goto the iTSec plugin Settings page and make sure the following settings are all enabled:

    Global Settings
    Write to Files [x] Allow iThemes Security to write to wp-config.php and .htaccess.
    Blacklist Repeat Offender [x] Enable Blacklist Repeat Offender

    Banned Users
    Ban Users [x] Enable ban users

    Brute Force Protection
    Enable local brute force protection [x] Enable local brute force protection.

    Automatically ban “admin” user [x] Immediately ban a host that attempts to login using the “admin” username.

    Monitor the situation after making sure the above settings are enabled.

    dwinden

    Danny Santoro

    (@danielsantoro)

    Automattic Happiness Engineer

    Hi there,

    I appreciate the response! Those settings were enabled – it looks like each of them is coming from different host IPs. Bots must just smell me out. 🙂

    Still the notification email (as linked in your first post) indicates a temporary host and user lockout…

    If the Automatically ban “admin” user setting is configured\working properly the notification email does not contain a temp host lockout …

    The host is banned permanently so there should be no temp host lockout in the email.

    Make sure you have (ban) entries like this in your .htaccess file:

    # Ban Hosts – Security > Settings > Banned Users
    SetEnvIF REMOTE_ADDR “^11\.111\.11\.1$” DenyAccess
    SetEnvIF X-FORWARDED-FOR “^11\.111\.11\.1$” DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP “^11\.111\.11\.1$” DenyAccess

    <IfModule mod_authz_core.c>
    <RequireAll>
    Require all granted
    Require not env DenyAccess
    Require not ip 11.111.11.1
    </RequireAll>
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Allow from all
    Deny from env=DenyAccess
    Deny from 11.111.11.1
    </IfModule>

    dwinden

    Never mind, it turns out the Automatically ban “admin” user setting works differently than I first thought.

    I always thought hosts that do an invalid login attempt using the admin username were automatically and permanently banned (like added to the Banned Users list). So 1 invalid admin login attempt and wham the host is banned for life.

    After looking at the code I now see that such hosts are automatically and temporarily locked out. And after 3 of such attempts (within 7 days) the host is finally banned (added to the Banned Users list).

    So I guess the setting should be named ‘Automatically lockout “admin” user’. My apologies for the confusion.

    Still a little bit weird. Makes more sense to ban immediately.
    Now any host is allowed 3 login attempts using the (non existant) admin username …

    dwinden

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Nonstop Site Lockout Notifications – How do I turn off this email?’ is closed to new replies.