IP Flagged as bad by iThemes IPCheck – 127.0.0.1

  • Suddenly, from yesterday i was not able to login in to admin backend. Also, tried from many other different IPs.. always always says “Your IP address has been flagged as a threat by the iThemes Security network.”

    I checked the “wp_itsec_lockouts” table but there are multiple entries with “127.0.0.1” as lockout_host.

    Even after deleting the above entries, it was not able to login. At last, i removed the plugin completely.

    Where is the problem. Why suddenly this?

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 6 replies - 1 through 6 (of 6 total)

  • I’m sorry to hear you removed the iTSec plugin. Anyway this is due to Network Brute Force Protection.

    Network vs Local Brute Force Protection
    Local brute force protection looks only at attempts to access your site and bans users per the lockout rules specified locally. Network brute force protection takes this a step further by banning users who have tried to break into other sites from breaking into yours. The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack.

    If the above info answers your question please mark this topic as ‘resolved’.

    dwinden

    dwinden

    JF here, from the other thread on Captcha… ??

    This might explain why I’ve been banned from my main domain and from one subdomain on my shared server. Here’s the exact language of the banning on the screen:

    Your IP address was temporarily banned. [VERY LARGE SIZE FONT]

    You may have been banned for one of the following reasons:

    Failing to log into wordpress (wp-login) 10 times in 5 minutes (30 minute ban)
    POSTING to xmlrpc.php more than once in 60 seconds (2 hour ban)

    If you have a legitimate use for either of these cases please contact support.

    Is this what a network-based ban announcement look like?

    I’ve been at it with my host now for 2 days… blaming their server code for it… Perhaps I was wrong on the cause…

    Could you please confirm that this is the language of the iTheme plugin?

    Also, now that I’ve followed your explanation and disabled the Network protection on this, how long would it take for my IP address to be removed from the ‘blacklist’? It’s actually affecting my main domain, site (main account on the Apache shared-server, onto which I don’t believe I have installed the iTheme security… and one of my subdomains. (The explanation of the bad login attempts has to do with a series of hacking attempts, a couple successful, over the weekend, which provided the reason to install iTheme…)

    Again, many thanks!
    JF

    The standard message for a “Network Brute Force Protection” lockout is:

    “Your IP address has been flagged as a threat by the iThemes Security network.”

    However this message can be customized just like the other messages (user lockout or host lockout) from the “Global Settings” section of the iTSec plugin Settings page.

    The message you get looks very customized and based on the contents of the message my impression is that its a customized message for a user lockout.
    (The standard message for a user lockout would normally be:

    You have been locked out due to too many invalid login attempts.

    For a host lockout:

    error)

    dwinden

    Thanks, dwinden.

    Maybe I’m not describing it clearly. I’m getting this message when trying to login to my *main* domain name, which might not even yet have the plugin activated. (I’m not entirely sure because I was in crisis management mode after multiple hacking attacks and I didn’t finish installing the plugin on all the sites…) That’s why I thought the message is from my host.

    HOWEVER, if it is not from my host, than it has to be the standard language, not my own, and if this is not standard language, then it must be coming from the host (despite their claims that they put me on the white-list). And the reference to ‘contact support’ also suggests that it might be from the host, not the plugin, right?

    How long does it take to be de-listed from the network global list?

    I think I’m going to have to get my cable modem replaced so I can have a new ip address to resolve this seemingly unsolvable problem…

    Thanks again!
    JF

    It’s difficult for me to answer these questions without access to the environment.

    Let me put it this way.
    If the “Host Lockout Message”, the “User Lockout Message” or “Community Lockout Message” settings in the “Global Settings” section of the Settings page of any iTSec plugin installed in this env is not identical to the message you are getting then it’s not the iTSec plugin generating that message. Also if you or anybody else has NOT customized any of these 3 settings for any installed iTSec plugin in this env then the message is not from the iTSec plugin.

    “How long does it take to be de-listed from the network global list?”

    I honestly don’t know. Since the iThemes server cannot be accessed it’s well possible that Network Brute Force Protection is not even currently operational … unless they use another server that I’m not aware of …
    iThemes should be able to answer that question.

    dwinden

    dwinden,

    Great! You’ve answered all my questions.

    I set all my customized responses to “error” – the less information, the better. That’s why the concept of stealth mode was invented…

    And I’m going to have to change my ip address to really solve this one…

    Thanks again for sharing your knowledge on all these issues – much appreciated!

    JF

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘IP Flagged as bad by iThemes IPCheck – 127.0.0.1’ is closed to new replies.