Support » Plugin: iThemes Security (formerly Better WP Security) » Releasing Lockout when you’re Locked out

Viewing 5 replies - 1 through 5 (of 5 total)
  • @bchabot

    If it is a user lockout it will by default expire after 15 minutes.

    However if the brute force attack continues while hitting that same account it may get locked out again and again and again … thus making the temporary user lockout kind of permanent.

    So best thing to do is to prevent your account from being found.

    Don’t use accounts like admin or as present in the domain name of the site …
    Prevent user enumeration.

    Basically make your account(s) as strongly secured as your password.

    @bchabot, I had the same problem and Gerroald from iThemes support helped me resolve it.

    1 – FTP into your back end via your domain control panel.
    2 – Create a second IMAP/POP3 email account
    3 – Navigate to your plugins folder and rename the “WP Better Security” folder to “WP Better Security.bak”
    4 – Login in your site as normal and create a second admin account using your new IMAP/POP3 email credentials
    5 – Logout and rename your “WP Better Security.bak” folder back to “”WP Better Security”.
    6 – Log in with your new admin account and re-activate the IThemes security plugin.

    Are you using the banned IP’s section in the banned users section to ban the IP addresses of the hackers that are trying to breach your site and generating 404 and .php errors on your site?

    I have over 2,500 IP addresses banned and update it weekly.

    @bchabot I forgot to add that you should whitelist your IP addresses at home/work in the “Global Settings” section, that probably contributed to your problem. I had just changed broadband providers and forgot to whitelist my new IP address range that eventing and a hacker tried a brute force attack on my site that night and locked out my site on me.

    @markartisan. I found your contribution here very interesting but I am not sure if your advice would resolve my lock-out problem.

    After I found that the site was hacked, I changed the username and password through the ControlPanel Myphp and also removed the hackers credentials, but I am still not able to access the WP dashboard. The wp-admin page currently shows a link to upload. Please help. thanks

    Hey @s4emedia always happy to help 🙂

    Ok, two questions for you, do you have the login credentials to your domain, (you’ll find them in the welcome email from your ISP when you bought your domain) and when you look in your plugins folders, is the iThemes Security plugin activated?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Releasing Lockout when you’re Locked out’ is closed to new replies.