Getting repeatedly locked out of WP site

  • tazling

    (@tazling)


    2 years ago

    This is a naive question, because I haven’t manually configured a WP installation for many years. I am a partner in an online newsmagazine built on WordPress. Our site has been up for years with no problems. However, just in the last month or so, we are having issues with “Denied for Too Many Attempts” messages when trying to log in to post new content. There are two primary author/admins and neither of us can log in any more.

    The site is hosted by GoDaddy. We can still get into it by logging in through GoDaddy using the senior admin’s credentials, and our site does not eppear to be compromised (whew). But logging in via wp-admin is now permanently broken.

    We are using a plugin to limit login attempts. I have tried to whitelist my individual username and IP address to regain access, but so far no success. I am afraid to turn it off (see below) although it’s tempting to disable and re-enable it in hope of resetting something.

    I was able to get at the stats/logs maintained by the plugin. I found them frankly rather unbelievable. According to its “failed login limit log” we have been experiencing over 1 million attempted logins per day, mostly from the US but quite a lot from Russia, China, etc.

    We are a tiny, obscure little home-town online newspaper for a remote rural community in the back of beyond, BC. Why anyone would be DOSing us is beyond me, especially with such international scope.

    So my questions are many, at this point ?? but the primary ones are:

    Do these ridiculously large numbers mean that our login attempt limit plugin is broken, its database compromised, etc? Or is this kind of 24×7 DOSing or attempted hacking just normal these days?

    Is there any way to recover normal login access given what looks like a nonstop storm of attacks on our wp-admin login page?

    Is there any way, via GoDaddy, for me to get access to the backend tables to try to reset the “failed login count” for my username? Or given the level of attack going on, is this just hopeless because in the seconds it takes me to reset this counter and try my login again, there will be another N attacks and I’ll be locked out again?

    I should perhaps note that I “fixed” this problem a couple of weeks ago by upgrading PHP to the latest version. We were normal for a few days after that. I have no idea why. Could be coincidence.

    I’m hopelessly out of date on WP — last time I manually crafted an installation was in the early 2000’s. I also came in late to this one and don’t know its full history. But I’m the most technically qualified person working on the project so I’m trying to figure this out. Advice will be very gratefully received!

    • This topic was modified 2 years ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 5 replies - 1 through 5 (of 5 total)
  • nunomorgadinho

    (@nunomorgadinho)

    Hi tazling,

    Sorry you are experiencing this. My recommendation is for you to get some kind of web firewall like Cloudflare or Sucuri.

    The advantage of a web firewall is that the malicious requests are blocked even before reaching your server, so you don’t have the load the entirety of WordPress for every single attempt any security plugin needs to evaluate. Secondly, you get the benefit the machine learning that’s happening at scale when you use a dedicated solution that works in front of your site.

    My personal favorite is Cloudflare for all the extras that the bring to the table.

    Hope this helps and feel free to get in contact if you want to “talk it over” with someone.

    Cheers,

    nunomorgadinho

    (@nunomorgadinho)

    Forgot to answer these:

    “Do these ridiculously large numbers mean that our login attempt limit plugin is broken, its database compromised, etc? Or is this kind of 24×7 DOSing or attempted hacking just normal these days?”

    It’s hard to say but it can happen.

    “Is there any way to recover normal login access given what looks like a nonstop storm of attacks on our wp-admin login page?”

    I would try and deactivate temporarily the plugin that is blocking the login. Is it wordfence?

    “Is there any way, via GoDaddy, for me to get access to the backend tables to try to reset the “failed login count” for my username? Or given the level of attack going on, is this just hopeless because in the seconds it takes me to reset this counter and try my login again, there will be another N attacks and I’ll be locked out again?”

    Probably the latter.

    Cory Marsh

    (@bitslip6)

    Hi @tazling, Sorry to hear you are dealing with this issue. I have a few suggestions.

    1: you mentioned you are using wordfence? First make sure you have a strong password on the account(s) in question. Next disable the login rate limiter in wordfence. This should allow you to login. Then, enable multi factor authentication (2FA) for your admin accounts. 2FA should keep your accounts secure without the need to rate limit login attempts.

    2: There is a new security plugin (bitfirebitfire) which will show you any installed plugins that have known security issues. It takes just a second to check and you can find out if you have any known security issues on your site. It is available in the wordpress plugin directory.

    3: Run a malware scan. BitFire includes an extremely fast malware scanner. Or if you have the time, you can use the WordFence malware scanner to check your site for any file modifications.

    4: If you use BitFire you can enable the automated bot blocking (toggle the “full browser required” option in the settings page) to send JavaScript challenge that will prevent bots from accessing your site at all. BitFire also includes SMS based multi factor authentication to secure your admin accounts.

    Let me know if you have any questions or I can help you in any way. If you currently have a paid security plugin (like WordFence premium) I can offer you a discount code for a BitFire PRO license pro-rated for your current licence term. BitFire has file locking which prevents php file modifications by hackers and has a full money back guarantee if your site is ever compromised. Email me at cory at bitslip6 .com

    Kind regards,
    Cory

    • This reply was modified 2 years ago by Cory Marsh.
    Thread Starter tazling

    (@tazling)

    Very helpful thanks. How much does BitFire PRO license cost? I don’t see any prices on its web page.

    Thread Starter tazling

    (@tazling)

    I want to thank everyone who gave some advice.

    Currently in the process of bailing on GoDaddy, gonna give Stablepoint a try (so far they are very responsive). Have done some cleaning up, installed Wordfence. Still suffering from lockout but pretty sure this is due to limit login retries reloaded, which GoDaddy installs in a write-protected dir tree so I can’t disable it (grrr). Looking forward to a new hosting relationship.

    Many thanks everyone! very nice friendly helpful community.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Getting repeatedly locked out of WP site’ is closed to new replies.