What can do to more secure for “Site lockout notification”?
-
Hi, I got 90 site lockout notification messages from the morning. What do I need to do here and what further actions I should take?
Image reference: https://ibb.co/2hpnN3Z
Thanks and regards,
-
Hi @panatapattu,
Thanks for reaching out to us.
The site lockout notifications emails can definitely be overwhelming, especially when your site is undergoing a Brute Force Attack!
I do have an easy solution for you:- Go to WordPress Dashboard > Security > Settings > Notifications
- Go to Security Digest, and make sure the “Enabled” box is checked.
- Go to Site Lockouts and uncheck the “Enabled” box.
- Click “Save Settings”
This will send you one daily digest instead of sending individual emails.
Please let me know if this helps.
Best regards,
ShalomHello, having the same problem. Is there a way to increase the level of security instead of only change the notofications?
I also read in the older topic but my “Local Brute Force entries” are empty so I do not know what to change: https://www.ads-software.com/support/topic/getting-lot-of-site-lockout-notification/
I receive daily “Site Lockout Notofications” but when I filter for “Local Brute Force”, I have the result “No events.“
Hi @wpzugang,
Click on the
Screen Options
button in the upper right corner of the (Logs) screen. Then under View Mode make sure All Events is selected. If not select it and click on theApply
button. Then retry.+++++ To prevent any confusion, I’m not iThemes +++++
Cleared a duplicate post.
- This reply was modified 1 year, 7 months ago by nlpro.
Thanks now I can see all Brute Forces. Creazy, already more than 500 within 3 days!
What can I do to stop this, to make my site safer?
Thanks for your response. Can we do some precautionary actions to prevent these kind?
Thanks
Hi @wpzugang,
Click on the?View Details?link of some displayed entries and check the value(s) for the URL/Login Source fields.
This will tell you which brute force method(s) is(are) being used to attack your site.
Once you know which brute force methods are being used, you can take the appropriate steps to stop them.
Hi @nlpro, type says notice, partly several attacks from the same IP. What can I do with that information?
id => 790 module => brute_force type => notice code => invalid-login::username-admin1 timestamp => 2023-04-02 16:20:00 init_timestamp => 2023-04-02 16:20:00 remote_ip => 51.144.238.41 user_id => [empty string] url => https://[...removed...]/wp-login.php memory_current => 9634192 memory_peak => 9821832 data => Array details => Array source => wp-login.php authentication_types => Array 0 => username_and_password user => Object WP_Error errors => Array invalid_username => Array 0 => Error: The username admin1 is not registered on this site. If you are unsure of your username, try your email address instead. error_data => Array() username => admin1 user_id => [integer] 0 SERVER => Array
Hi @wpzugang,
Ok, so the detail data tells us that the brute force attacks are done through the wp-login.php file which is the regular WordPress login screen. (There are also other possible brute force attack vectors like xmlrpc.php).
Anyway to protect your WordPress login page you can choose to hide the WordPress login screen by enabling the iTSec plugin Hide Backend feature (if possible for the site).
You can find the Hide Backend feature by navigating to:
Security > Settings > Advanced > HIDE BACKEND
For more info about this feature read this iThemes help article.
- This reply was modified 1 year, 7 months ago by nlpro.
Thank you @nlpro for your help. I have changed my login url and will check if I still have these brute force attacks.
Looks like the login attempts have stopped. No more brute force attacks within the last 24 hours. Great plugin! ??
Hi @wpzugang, we’re happy to know that the brute force attacks have stopped within the last day after enabling iTSec’s Hide Backend. I’ll mark this post resolved. Feel free to open a new support topic if you still need some assistance, and we’d be happy to assist. Thank you!
Hello, sorry to come back to you again. I just noticed that the brute forces have begun again. I alread had more than 2000 brute forces just within the last days.
Do you have another suggestion how to stop this? I already increased the minutes to remember bad logins to 30 but they always change their IP addres.
Hi @wpzugang,
It’s always possible for the attackers to switch to a different brute force method. So just repeat what we did before, check the details in the Logs page. As soon as we know which brute force method is used this time we can take the right step(s) to stop them ??
oh yes sorry. I have changed the login url again yesterday but the brute forces continue. Here is an example for one of the network brute forces:
id => 2703
module => ipcheck
type => notice
code => failed-login-by-blocked-ip
timestamp => 2023-04-15 15:01:21
init_timestamp => 2023-04-15 15:01:21
remote_ip => 5.188.62.140
user_id => [empty string]
url => https://bluwingmedia.com/xmlrpc.php
memory_current => 10279984
memory_peak => 10298824
data => Array
details => Array
source => xmlrpc
authentication_types => Array
0 => username_and_passwoAnd here one of the brute forces
id => 2702 module => brute_force type => notice code => invalid-login::user-3 timestamp => 2023-04-15 15:01:21 init_timestamp => 2023-04-15 15:01:21 remote_ip => 5.188.62.140 user_id => [empty string] url => https://bluwingmedia.com/xmlrpc.php memory_current => 10257032 memory_peak => 10270376 data => Array details => Array source => xmlrpc authentication_types => Array 0 => username_and_password user => Object WP_Error errors => Array incorrect_password => Array 0 => Error: The password you entered for the username BluwingEditor is incorrect. Lost your password? error_data => Array() username => BluwingEditor user_id => [integer] 3 SERVER => Array HTTP_HOST => bluwingmedia.com HTTP_X_REAL_IP => 5.188.62.140 HTTP_X_FORWARDED_FOR => 5.188.62.140 HTTP_CONNECTION => close CONTENT_LENGTH => 212 HTTP_ACCEPT_ENCODING => gzip,deflate CONTENT_TYPE => application/octet-stream HTTP_USER_AGENT => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 REQUEST_SCHEME => https SCRIPT_FILENAME => /home/www/wordpress/xmlrpc.php HTTP_AUTHORIZATION => [empty string] HTTPS => on SERVER_PROTOCOL => HTTP/1.0 REQUEST_METHOD => POST REQUEST_TIME_FLOAT => [double] 1681570881.1754 REQUEST_TIME => [integer] 1681570881 Thank you for creating with WordPress. Version 6.2
- The topic ‘What can do to more secure for “Site lockout notification”?’ is closed to new replies.