Site Lockout Notifications

  • nikhiljoshi

    (@nikhiljoshi)


    4 years ago

    Hi there,

    On my website, I’ve hidden my log-in link and didn’t allow users to sign up for an account. But still, I receive emails from iThemes security that said “Site Lockout Notification” and “Too Many Bad Login Attempts”.

    Now my question is, when I’ve already hidden the login URL of my website and not allowing users to create an account, then why and how people are still able to find out my login URL and putting the wrong credentials to try to login into my dashboard?

    If anybody knows the cause of this issue, then please help, any suggestions and thoughts are welcome.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • nlpro

    (@nlpro)

    Besides the WordPress Dashboard login form WordPress also includes other login methods (like XMLRPC).

    To determin the login method used for the invalid login attempts, navigate to the iTSec plugin Logs page and filter for any Brute Force module log entries. For any existing entries click on the View Details link. Checkout the URL and Login Source values.

    Considering the fact that XMLRPC is still enabled on your site, chances are you’ll find the invalid login attempts are done using the XMLRPC method.

    To prevent any confusion, I’m not iThemes.

    Thread Starter nikhiljoshi

    (@nikhiljoshi)

    Hi @nlpro ,

    You’re absolutely right. The attackers are using XMLRPC method to try to break-in into my website.

    But, this is the first time I’ve ever heard about XMLRPC phenomenon.

    Could you please tell me how to hide this list as well or any other suggestion that could help me to secure my website?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Site Lockout Notifications’ is closed to new replies.