Users from Amazon IPs trying to access using admin name

Hello I got the same multiple attempts on my log today:
Invalid Login Attempt 5 2016-01-19 19:33:35 54.183.109.9 admin
Host or User Lockout 10 2016-01-19 19:33:35 54.183.109.9 Details
Invalid Login Attempt 5 2016-01-19 18:30:48 54.183.78.241 admin
Host or User Lockout 10 2016-01-19 18:30:48 54.183.78.241 Details
Invalid Login Attempt 5 2016-01-19 18:22:37 54.229.202.107 admin
Host or User Lockout 10 2016-01-19 18:22:37 54.229.202.107 Details
Invalid Login Attempt 5 2016-01-19 18:12:04 190.121.21.211 admin
Host or User Lockout 10 2016-01-19 18:12:04 190.121.21.211 Details
Invalid Login Attempt 5 2016-01-19 17:29:27 54.164.151.81 admin
Host or User Lockout 10 2016-01-19 17:29:27 54.164.151.81 Details
Invalid Login Attempt 5 2016-01-19 17:14:49 54.164.144.32 admin
Host or User Lockout 10 2016-01-19 17:14:49 54.164.144.32 Details
Invalid Login Attempt 5 2016-01-19 17:11:25 54.229.202.23 admin
Host or User Lockout 10 2016-01-19 17:11:25 54.229.202.23 Details
Invalid Login Attempt 5 2016-01-19 16:56:21 91.212.124.11 admin
Host or User Lockout 10 2016-01-19 16:56:21 91.212.124.11 Details
Invalid Login Attempt 5 2016-01-19 15:18:25 52.10.197.187 admin
Invalid Login Attempt 5 2016-01-19 13:11:18 46.148.18.162 admin
Invalid Login Attempt 5 2016-01-19 11:44:44 54.194.119.89 admin

I also do not have admin user thanks to iThemes

Can anyone help to let me know what to do about this? This is my first log as I just installed the plugin yesterday.

@efornes

The message received in the email notification:

A host, 54.194.119.89, and a user, admin, have been locked out of the WordPress site at (((****not public****))) due to user tried to login as “admin.”.

seems to indicate that the admin user still exists in your database.
Log into your database using phpMyAdmin and check the wp_users table for the existance of the admin user.

If the admin user really does not exist please post the full content of the received lockout email notification.

dwinden

Hi dwinden.

Thanks for the tip. I looked at it and it’s deleted. I guess the message that iThemes creates is somewhat confusing as it really makes you think the admin user still exists…

thanks again

BTW, I sent my issue to [email protected]. That’s the email they provide related to domain things…no answer yet..

Just to chime in, I’ve got Sucuri installed and it’s been giving me warnings about the exact same thing for days. There’s a setting so you can lock out users that don’t exist (like admin). I did that and have not received any warnings since.

@efornes

Ok, I see.

Would still be interested to see the full content of the email notification received.

Based on the provided info so far I cannot determin whether it is a temporary host lockout or a permanent host ban occurring (yes there is a difference).

Also check whether the “Immediately ban a host that attempts to login using the “admin” username” setting is enabled in the Brute Force Protection section of the iTSec plugin Settings page.

Last but not least, have you enabled the iTSec plugin Hide Backend feature ?

dwinden

Hi, thanks to you both…

just to clarify: the users that attempted to get into my site are all blocked, as the email notification shows.

My surprise is that these users don’t come from North Corea, Rusia, China, etc… they come from the US, Germany, Ireland etc… and they all use (which is veeery strange to me) IPs belonging to Amazon, no matter they come from the US, Germany or Ireland…

@efornes

IP’s, domains and geog are irrelevant on the internet in my opinion …
Website attacks can originate from anywhere.

I was focusing on getting the iTSec plugin properly configured to PREVENT any of these invalid login attempts from happening at all.

It’s nice to know the iTSec plugin is locking out those host IPs.
But it would be better when those malicious login attempts are not happening at all.
This translates into better performance for your website and less host lockout emails … and thus no worries about Amazone IPs ??

dwinden

ok, I see… it’s really annoying and scaring that these attacks happen.

I got actually one serious hack in another site. Someone got to create fake paypal pages… (that was before I installed any security plugin and was the cause for me to install one)

For what I know, Google was the first to notice the hack and the whole site was suspended (isn’t this also scary, that Google has so much scope?). My hosters knew nothing about it, nor my customers (who obviously doesn’t visit their site too often!).

anyway. This is pretty scary.

as a summary: yes, iThemes and Wordfence are doing their job.

thanks everyone in here. Greetings from Spain ??

@efornes

Use the Hide Backend feature to prevent automated brute force attacks on the website login page (wp-login.php).
Disable (if possible) XMLRPC to prevent automated brute force attacks using XMLRPC (xmlrpc.php).

If you require no more assistance please mark this topic as ‘resolved’.

dwinden

thanks dwinden.

backend is hidden and XMLRPC is disabled, (although not sure how this will affect site normal behaviour).

I’m closing this.Thanks for the attention.

I intalled iThemes plugin today and I am now locked out of my wp-admin on vivbounty.org.

Here is the error message.

Can you help?

Notice: Constant WP_DEBUG already defined in /home/vivbouno/public_html/wp-config.php on line 94

Warning: Cannot modify header information – headers already sent by (output started at /home/vivbouno/public_html/wp-config.php:94) in /home/vivbouno/public_html/wp-includes/pluggable.php on line 1228

Desperate.

Thanks,
Viv