Ithemes security "Away" mode issue

  • I have a couple of sites using the Ithemes free security plugin. As they have been bombarded with hundreds of login attempts – all using “admin” as the user name yet none are actually being banned as the settings indicate they should be… I’ve set the “away” mode for one week to lock off the back end completely on a site. And yet, since doing that, I’ve have over a dozen lockout notices for IP addresses being locked out – not banned – for attempting to login using “admin” as the username. This for a site that I cannot even log back into for another six days? I don’t get it. Why / how could any other person / site even attempt to login if I cannot get to my own site?

    There seem to be some more (And this is becoming a common story) bugs with this plugin. I’ve been reluctant about shifting to Wordfence as it’s more of a resource hog than is BWPS – Ithemes… but this plugin isn’t making me feel a bit more secure anymore.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 5 replies - 1 through 5 (of 5 total)

  • I think Away Mode only prevents getting the WP Dashboard login form displayed.

    I don’t think this feature is designed to prevent wp-login.php posts …
    (as brute force attacks do).

    Will do some testing and confirm whether this is true.

    dwinden

    Thread Starter rpsellers

    (@rpsellers)

    Since I have the site in “away” mode now, even when I try the wp-login.php link, all I get is the “This is somewhat embarrassing, isn’t it? It seems we can’t find what you’re looking for. Perhaps searching can help” message. And yet I continue to get a raft of site lockout notifications from IP addresses all over the world giving the reason as “due to user tried to login as “admin.” I’m completely at a loss as to how that can happen when there’s no currently way to get to the page in order to be able to attempt to login as “admin?”

    Ok, I just completed a quick test and …
    Away Mode works exactly as I thought it does.

    You need to distinguish between manual login attempts:

    – A human accessing the WP Dashboard page (= wp-login.php GET request) and then entering the username and password followed by clicking on the blue Login button (= wp-login.php POST request).

    and automated login attempts:

    – Most brute force login attempts are automated. They skip the wp-login.php GET request and do a direct wp-login.php POST request…

    Away Mode is designed to only redirect wp-login.php GET requests…
    So Away Mode is only effective against manual login attempts.
    The wp-login.php GET request is redirected using the WP get_option(‘siteurl’) function (= WordPress Address(URL) field in General Settings). The iTSec plugin Logs page will show a new entry named Away Mode Triggered for every attempt (GET request) to access the WP Dashboard login page.

    I noticed you seem to be getting a 404 page. Check your WordPress Address(URL) field in General Settings and try and access its current value to see whether that url returns a 404. It could be there is a bug in Away Mode where it should be redirecting to Site Address(URL) using the get_option(‘home’) function…
    Note this is only relevant in WordPress installs where the WordPress Address(URL) is not equal to the Site Address(URL)…
    Another explanation could be that you have enabled the iTSec plugin Hide Backend feature. Once this feature is enabled you can no longer access the wp-login.php file directly. It will return a … 404.

    An automated brute force login attempt passes the username and password field values programmatically using a wp-login.php POST request. Even though Away Mode is triggered it ALSO continues with attempting to log in …
    (Technically speaking there is no exit performed after the Away Mode redirect …)
    There will be just as much Away Mode Triggered entries in the Logs page as there are Invalid Login Attempt and Host or User Lockout entries …

    So Away Mode will not prevent your site from being hammered by automated login attempts as generated by brute force attacks …
    It will only protect your site from accessing the WP Dashboard login page and thus manual (human) login attempts …

    dwinden

    @rpsellers

    If you require no further assistance please mark the topic as ‘resolved’.

    dwinden

    @rpsellers

    If you require no further assistance please mark the topic as ‘resolved’.

    dwinden

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Ithemes security "Away" mode issue’ is closed to new replies.