Lockout but blank lockout_user & lockout_username

  • Resolved wordpress3483

    (@tharsos)


    7 years, 8 months ago

    I am getting a lot of lockouts on my blog. Could someone try to help me interpret these messages? Both lockout_user & lockout_username are blank. Does it mean that the plugin is blocking access to my blog from all IPs and usernames? Please check the attached screenshot.

    Does the large number of brute attacks indicate that someone knowns my username or does the plug-in lock access to my blog even if the attacker does not know the username?

    https://ibb.co/m8Kyea

Viewing 6 replies - 1 through 6 (of 6 total)

  • I know this is marked as resolved but there’s no answer here and I’m seeing the same issue. This is on my dev server which has no external access. I tried to logon this morning and immediately was locked out for too many attempts.

    Lockouts table shows one entry the same as the OP’s.

    Can anyone advise what to do? Assume I can remove this entry but without knowing cause I’m sure I’ll be back to square one soon.

    We have the plugin on the live site so I’d like to understand what’s going on before we hit a problem there.

    Thanks,
    Stuart

    @stuartb3502

    People tend to go in panick mode when the plugin locks them out.
    But there is no need to.

    These lockouts are temporary, which means they are released automatically after (by default) 15 minutes.
    So normally there is absolutely no need to delete anything in the database.

    That said, the lockout code includes some bugs which makes it unpredictable. Basically it is not functioning properly.

    And in your particular case you do need to delete any records in the lockouts as well as the temp table. Its totally unharmfull.

    Do note that the plugin adds 2 purge cron jobs when installed.
    This ensures the 3 plugin tables are purged on a regular basis.

    The lockouts and temp table are purged by the itsec_purge_lockouts cron job. It deletes any records older than 7 days.

    The logs table is purged by the itsec_purge_logs cron job. By default records older than 2 weeks are deleted. This is actually configurable in the General Settings module.

    Both cron jobs run daily.

    Thanks for the reply. “Unpredictable” “lockouts” – not a great combo ?? Not sure whether you’re involved in the plugin or just commenting as a knowledgeable user, but I wonder whether there are any plans to make this work properly?

    Do lockouts still expire and get purged if the “Permanent ban” option is set?

    For now I’ve added a whitelist entry and removed permanent baning just in case. Trouble is that would like to be able to use permanent bans on my live site without worrying that I may get locked out.

    It’s not an issue now I know how to reset in the db however. btw I just deleted the lockouts table record, no temp record – I don’t know which table that is but will go back and take a look.

    Thanks.

    @stuartb3502

    Let’s just say I’m a knowledgeable person heavily interested in WordPress security.

    iThemes has fixed other bugs in the lockout code in the past, so I’m sure they’ll fix any of the ones that still exist as well as soon as they pop up on their radar.

    Do lockouts still expire and get purged if the “Permanent ban” option is set?

    Yes, they do.
    Allthough, once IPs are banned (in the .htaccess file) they are banned forever unless you decide to remove them from the Ban Hosts setting.
    Removing a banned IP from the Ban Hosts setting will remove the banned IP entry in the .htaccess file.

    So basically lockouts are temporary and bans are (sort of) permanent.

    If you whitelist your IP no lockouts will occur and no ban can happen on your IP.
    (Or at least thats how it is supposed to work).
    In fact the plugin automatically whitelists anyones IP that successfully logs into the WordPress Dashboard as an administrator. The only difference is that it’s a temporary whitelist that is set to expire in 24 hours.

    The plugin creates 3 tables in your database:

    [prefix_]itsec_log
    [prefix_]itsec_lockouts
    [prefix_]itsec_temp

    Where [prefix_] should be substituted with your database table prefix.
    So when you manually clear the [prefix_]itsec_lockouts table, make sure to clear the [prefix_]itsec_temp as well.
    That way your manual action is similar to what the itsec_purge_lockouts cron job does.

    Thank-you for the explanation.

    Stuart

    @stuartb3502

    Just wanted to add that the 6.3.0 update released yesterday introduces the ITSEC_DISABLE_MODULES constant. As per the ChangeLog:

    New Feature: Added support for the ITSEC_DISABLE_MODULES define.

    And filtered this text snippet from inside the code (core.php):

    * Check to see if the define to disable all active modules is set.
    *
    * Note that the ITSEC_DISABLE_MODULES should only be used to gain access to a site that you are locked out of.
    * Once logged in, you should remove the define to re-enable the protections offered by iThemes Security.

    Adding it to the wp-config.php file like so:

    define('ITSEC_DISABLE_MODULES', true);

    is just another way to deal with accidental lockouts.

    Do note the plugin will add the following warning on top of ALL pages once logged into the Admin Dashboard:

    The ITSEC_DISABLE_MODULES define is set. All iThemes Security protections are disabled. Please make the necessary settings changes and remove the define as quickly as possible.

    • This reply was modified 7 years, 8 months ago by pronl.
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Lockout but blank lockout_user & lockout_username’ is closed to new replies.