I Keep Getting Locked Out

Most likely the issue/problem:

“…when I get locked out on the first try every time”

How many failed login attempts are allowed before lockout occurs? Are you using more than 1 Login Security plugin/feature or membership plugin/feature?
If 2 plugins or plugin features are doing the same or very similar thing then they will compete with each other if they are both calling/using the same WP functions. One will override the other or worse they will cancel each other out.

Less likely the issue/problem:

I have white listed my IP and allowed in .htaccess.

What does this mean exactly? Are you using some additional BPS Bonus Custom Code that is IP based?

Least likely cause of the issue/problem:
Is your User Account/Author URL exposed on the frontend of your website?
If someone is logging in with your user account then they know that name of that user account. The email address for each user account is associated with that user account and is stored in your WordPress Database.

WordPress itself, Plugins and Themes can all display your user account name publicly on your website – typically with the the_author_link() function or other WordPress functions that display the author url and display your user account name publicly.

Here are some Forum links for things that you can do about not exposing and protecting your author name/user account name.
https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
https://forum.ait-pro.com/forums/topic/user-account-locked/
https://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/
https://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/

<<Are you using more than 1 Login Security plugin/feature >>
No

<<I have white listed my IP and allowed in .htaccess.
What does this mean exactly? Are you using some additional BPS Bonus Custom Code that is IP based?>>

No. I simply added my IP address to the .htaccess file via FTP.

<<Is your User Account/Author URL exposed on the frontend of your website?>>

I don’t know. The website is https://bowmanvillegolf.ca I don’t know how it would be exposed but perhaps you could share with me if it is.

One thing that I have noticed is that when I go into PHPMyAdmin to changed from Locked to Not Locked, I notice that the IP address and the hostname have been changed to one I do not recognize of 42.112.176.116 which is in Hanoi. I suspect that this is a hacker address but I don’t know how he is changing it on the BPS database.

For now I have uninstalled. Would appreciate it if you have any further input though.

Ok you have your answer. The reason the IP address and hostname are not yours is because someone is attempting to login using your User account from another IP address / hostname.

I checked your site and it took me 5 tries/guesses to guess the User account name: “bowmanville”. You never want to use anything obvious like this that can be guessed by using things about your site name, location, etc. A secure username would be something like this: B5TY6JNM9.

Thank you. That was not the username that they hacked in on but I did try to delete the username that they did use by creating a new user. Unfortunately I ended up having to rebuild the website on the username that I originally created for the sake of the database. Is there a way that I can hide or delete the usernames we are using?

To create a new Administrator account do these steps:
Create a new Administrator User account.
Log out of your site and log back in under that new Administrator account.
Delete the old Administrator User account.
You will see these prompts when you are deleting the “admin” user account.

What should be done with posts owned by this user?
Delete all posts.
Attribute all posts to:

You would choose the “Attribute all posts to:” Radio button and click on the drop down select option and then click on the new Administrator User account you just created. All of your posts will now be attributed to your new Administrator User account.

Did a copy and paste above from another forum topic and made some changes to it. see the steps again for the new amended instructions.

Many thanks! Going to give it a try. I really appreciate all your help!

Yep, no problem. What I recommend is that folks create an additional Administrator user account that is used just for logging into a website and that is NEVER used to create a post with. By doing that you know for sure that that Administrator user account will never be displayed on the frontside of your website anywhere by a theme or plugin. This also gives you a quick way to login to your website if your other Administrator user account gets locked out.

I have reinstalled after changing admin and all seems well except for my backupwordpress.2.6.2 plugin.

BackUpWordPress has detected a problem. wp-cron.php is returning a 403 Forbidden response which could mean cron jobs aren’t getting fired properly. BackUpWordPress relies on wp-cron to run scheduled backups.

Is there a way that I can bypass this situation?

Thank you!

The solution is here: https://forum.ait-pro.com/forums/topic/backupwordpress-404-not-found/#post-708

Many thanks. That solved the problem!

Thank you again!!!!

Great! Thanks for confirming that all is well in the WordPress universe…. for the moment. kidding. ?? Please resolve this thread. Thanks.

Will do. Thanks again!