Releasing iThemes Security Lockouts

  • While being locked out of your site can be frustrating, it means that iThemes Security is doing it’s job. Security detection doesn’t discriminate, if it notices a possible threat it will defend against it, even if it’s your own site. Lockouts by default expire after 15 minutes but can be renewed if attacks continue. You can White List your IP address to avoid being locked out.

    If you do find yourself locked out we have two options to get you back in. There’s a manual method of clearing it, and an automated method by using iThemes Sync, our WordPress management plugin. If you’d like to use iThemes Sync the first 10 sites are free, so you’re not out any cash. The article below explains both in detail.

    Fixing iThemes Security Lockouts

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 14 replies - 1 through 14 (of 14 total)

  • What does it mean if the lockout_host column of the wp_itsec_lockouts table has empty entries? I got locked out without any missed password attempts, and am suspecting these blank lockout_host entries are causing the site to lock out everyone.

    This is absolutely ridiculous!
    If one person fails to log in x amount of times, the whole site will be blank and say “error”.

    I sincerely hope this gets fixed ASAP as it makes the lockout useless and downright damaging as people aware of this can break sites using your broken lockout functionality.

    Otherwise it’s a great plugin.

    Christoffer that is not correct at all. Only the user or IP causing the lockout is locked out. All other users can still access the site.

    gbell12 Just because you have tried to login doesn’t mean someone else hasn’t tried it with your username. This is in fact the reason for the feature.

    @chris
    Please explain to me why I can’t access the site on my iPhone, iPad and even another Mac then. The whole website gets the error message.

    You have 1 of three errors on your site:
    1.) You’ve locked out each of those IPs legitimately (probably due to too many missing assets resulting in 404 errors)
    2.) You have set your cache so aggressively that you’re caching error messages
    3.) Your server is misconfigured and is not passing the correct IP to the plugin

    Each of these are something you will need to fix on your server

    I am an ithemes paying client (backup buddy and iThemes Builder websites and user of the free version of better WP Security. I got locked out of Better WP and then read the ways to log back in. But step #5 written by iThemes is not detailed enough. How do I “manually fix these errors 1 by 1 ? . . .”

    The complete Explanation #5:
    “Each line represents a file that your site is pointing that does not actually exist (hence the 404 error). You will need to manually fix these errors 1 by 1 to prevent lockouts from reoccurring.”

    Thanks.

    lumiereelectric.com is the site.

    After getting locked out, I went through to my phpmyadmin but couldn’t find my IP. Then I managed to find out that it was a “user” brute force lockout, not an IP lockout. I deleted these brute force lockout entries from the list and I was able to login again.

    However, I continue to get locked out regularly.

    I’m guessing this means someone knows my username and is continually trying to login and guess my pw?

    Since you cannot change username, what plugin settings can I change to stop this happening?

    Thanks in advance.

    brenontheroad where did you find these brute force lockout entries? Thanks

    in the myphpadmin in my cPanel – just followed the instructions on the link in the first post.

    OK…I’m trying everything that’s been suggested above to no avail. I can’t get into my site after setting some seemingly innocuous settings a few days ago which happened right before I had to hit the road. I had no problem logging in, religiously whitelisted my IP and used Away Mode every time I was about to log out. Where I ran aground seems to be in changing locations. I meant to whitelist the new IP but was road-weary and too wiped out to do it the minute I got to my new digs. Now I’ve been locked out for days.

    Problem with i-Sync is it requires that my wp-login works, problem is, it’s having the same problem I’m having. Once I clicked ‘fix it’ to have wp-admin changed to wp-login, then changed locations, I repeatedly get a 404 error. When I tried going back to using wp-admin, I get a white screen, nothing. So I can’t install i-Sync, though it seems like it would be really nice.

    As for the manual approach, my host cPanel seems really basic, I couldn’t find ‘myphpadmin’ and I don’t know enough about how to get to that log where I can release my current IP.

    Curse the damn Brute Force attackers that made me think I should do all this before I had time to really figure out how the hell to navigate to the support site. Should I be taking this up with the Support folks who host my site?

    This is so damn depressing, it seems like I’m caught in a spider web. I don’t even have a site worth Brute Forcing about, I’m still learning how to put mine together.

    https://www.acmeworx.com/wp-login

    Now I’ve dug a little deeper, I realize that ‘phpmyadmin’ is not part of my host’s cPanel, it’s a download I need to figure out how to use. This seems like an extremely dangerous route to send novice WordPress users on. I’m not exactly a novice but I do remember how overwhelming navigating through so many different sites, creating oodles of ‘strong’ passwords, etc… was at the beginning. To send a beginner through wikipedia to try to figure out how to use ‘phpmyadmin’ in order to dink around with the database seems incredibly crazy.

    I think iThemes Security should come initially packaged with hefty documentation and big fat warnings about how easy it is to screw up while doing the ‘step by step’ from within the Security section of the admin panel. For those of us who weren’t fully aware of what a step like ‘change wp-admin to wp-login’ could do, it fully sucks to have not been duly warned of how badly things can go.

    And yes, I’m going to try to learn how to use ‘phpmyadmin’ and hope to hell I don’t really set the forces of hell upon my beleaguered site. Any kind of help towards this end would be very much appreciated.

    Tried to disable “better-wp-security” via ftp access by renaming the plug-in folder to “better-wp-security2”.

    That worked to bring back my admin log-in form at “wp-login” where my laptop automatically fills in user and password info. But now wp-login reroutes back to my original admin log-in page–https://www.acmeworx.com/wp-admin/admin.php?page=toplevel_page_itsec_settings

    and that’s as far as it gets, returning the following on an otherwise blank screen:

    “You do not have sufficient permissions to access this page.”

    Still feel too nervous to want to try doing anything with a brand new download of ‘phpmyadmin’. Wish I’d known how to use it already.

    HI there,

    can someone please help? I have followed the instructions form the link above but still cannot open the site as I am getting ‘access nto allowed’

    what else can I try?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    @stellamaris5 I’m sorry you’re having a rough time but per the forum welcome can you please post your own topic?

    https://www.ads-software.com/support/plugin/better-wp-security#postform

    That’s really the best way to get your specific problem the attention it deserves.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Releasing iThemes Security Lockouts’ is closed to new replies.