Hi,
Is Admin your username? If it is, we would recommend you change this and stop users from using “Admin”. To do this goto Dashboard>>Critical feature Status and activate Admin Username.
You may also consider blocking the username “Admin” (only after you have changed your username). To do this goto User Login>>login Lockdown, enter the “Admin” username and ensure the “Instantly Lockout Invalid Usernames” is checked
Thread Starter
doolyo
(@doolyo)
Hello.
No I have already changed the admin user name since the installation of AIOWPS, so this is not the issue.
Yes, “critical feature status” is turned on already for Admin username.
Also I have made the “instantly lockout” the Admin user, and done everything you suggest, but this issue still remains: the hosting server logs in automatically as the only wordpress admin user of the site, with the same user ID 1, and I see my IP address and this one.
Also I have installed “User login history” plugin, and this server’s IP address is not logged in there.
What can I do?
Is there a simple way to get the same users list and disable AIOWPS, to check if this is due to a hack of a page in AIOWPS?
Can you try clearing your cache/browser history and hitting the “Refresh Data” button. Do you still see two admins logged in?
You can try another plugin like WP Activity log but my guess would be that it’s not going to show anything.
Thread Starter
doolyo
(@doolyo)
Thank you for your support.
I continued to try to figure out where the problem was coming from.
In the end I found out that this is due to the WPML language translation plugin. It seems to have an internal cron outside of the WP-Cron, because it happens even if this one is disabled.
This happens every hour precisely, and this is the Apache log line that I think is causing the issue:
my-site.com – 120.120.120.120 – – [25/Oct/2021:10:41:19 +0100] “GET /en/wp-json/ HTTP/1.1” 200 13652 “https://my-site.com/en/wp-json/” “WordPress/5.8.1; https://my-site.com/en/”
Where the IP address 120.120.120.120 is a replacement for the real server IP address.
When this is called, then a new admin login with User ID 1 and same admin name as the only one of wordpress is made.
So when I disable the WPML plugin (all components), this login doesn’t come in anymore at all even at scheduled time, and also when WP-Cron is enabled.
Now I know it is safe to keep this second logged in admin login.
I would recommend to try analyzing why is creates a login, if it is really a login, or why your plugin detects this as a login.
Then, either remove this login entry or fix the wrong detection. Or else leave the detection if it can help determining a potential security breach, but also let some info on the right of the login line like “WordPress call” or something like that, based on the referrer that we see as being WordPress in the log.
I hope this helps.
Thanks for your great plugin.
Hi,
Thanks for letting us know, that’s very interesting!
Thread Starter
doolyo
(@doolyo)
You are welcome.
I hope you can come up with some sort of flagging of this king of login lines as “WordPress job” maybe. It would help the user understand what is going on and would be a nice feature.
Kind regards
Thank you, I have logged all of the information you have provided for you development team to review.
Thread Starter
doolyo
(@doolyo)
Thank you very much. That is real professional work, I like that!
Thanks again for your great security plugin!
