Craig Hesser

I thought so too, but I was surprised because it happened so soon (1-2 days after I started it). But now there are zero plugins, 1 page (“Sample page”) and 2 posts on the standard format, and the problem is still there.

I will reinstall the theme and see what happens – I suspect I “touched” and changed something when I was working with the basic colors without knowing it.

Hi sgb02,

I think there is a way to do part of what you want to do.

If you set the maximum number of bad logins before a viewer is black-listed to 1, but then set the lockout time at a very low number, the blacklist report will give you the IP address of the offending attempt, but won’t lock you out for very long if you accidentally hit the wrong key while logging in.

You would have to go through the list and use the manual lockout list to get rid of the bad guys. A little more work, but more information.

Hi,

I had a problem with the latest release (maybe a plugin conflict, I’m not sure), and I decided to reinstall the previous version. Problem: even when I go to the release notes history and try to install 3.5.1, what is downloaded is the present release.
I finally solved this by extracting the BWPS plugin from a website backup file, and then uploading that. It would be easier to be able to download the earlier plugin versions.

Tx
Craig Hesser
https://jimmycraig.info/

Further to the above – I finally went back and reinstalled an earlier version of the plugin, and that seemed to cure the problems. At this point I have not reinstalled the all-in-one seo plugin. Will try that now that the system is stable and safe, and report back.

Ah – sorry, the site is https://jimmycraig.info/

I updated bwps and all-in-one-seo plugins at the same time, and got a 500 error.
I deleted the bwps plugin, but I was not able to edit the .htaccess file. However, I could delete it and replace it with the same content without everything between BWPS start and finish lines.
The site worked, but I just finished with a massive outside attack on the wp admin area (over 5000 automatic bwps IP lockouts in 3 days), and I feel naked without bwps.
I didn’t think about the aio-seo plugin at the time – will remove that and see what happens.

I have the same request as sgb02, but I also need some more information on what is reported now:

In a few instances, I get a report on the “Bad Login Attempts” that the Username Attempted was “username”. Does this mean that the attempted highjacker was successful in finding the username for the site? Or does it mean that the highjacker used the term “username” instead of (for example) the term “admin” or “administrator”?

I have some pretty complex user names (all dark green on the username scale), and I would be surprised if a highjacker were successful in finding that, but not the password.

@hlanggo
I was away – I now have a relatively large number (for me) of IP addresses and IP ranges blacklisted. What I do now is this: (1) if anybody gets blacklisted by BWPS, (2) then I put them on a manual list which I utilise in the manual blacklist box on all my websites with BWPS installed. (3) Also, I blacklist the entire range that shows up on who.is, not just the individual IP addresses.

It is a little kinky dealing with the way BWPS interprets the * wildcard character. You can get a better idea if you see what shows up on the list in the .htaccess file, and also what happens when you do the blocking on your hosting control panel.

@chp2009

Sorry, this is probably after you have solved the problem, but the .htaccess file should be located in the same directory where your wp-admin, wp-content, and wp-includes folders are. If you installed WP in a subdirectory, there will be two .htaccess files, one in the WP root, and one in the account root (where you put the favicon, the google, bing, etc. identification html files, etc.).

Don’t forget to be sure that your editor can see a file where the name starts with a “.” as in “.htaccess”

@evilmc
Go into the files with your ftp device and either rename or delete the plugin. Then restart with the wp-admin (if that works). I’m not sure what to do if wp-admin still does not work, but I think the next step is to take the entries from BWPS out of the .htaccess file.

Good luck

Further to my problem with one site above…

I believe I found my problem:

I used names for the replacements that included capital letters and symbols (generated these as passwords online). Upon reflection and further investigation, I (finally) discovered that, since these are used in html/php addresses, they should not have capitals and special characters, only lowercase and numbers. I redid the same thing, and used the same replacements, just eliminating the special characters and converting the caps to lower case, and everything works!

Something learned.

hlango, what you are reporting does not seem to be normal to me. It sounds like your site must be very enticing in one way or another: money, sex, drugs, SEO secrets, or ??? ??

From the way you wrote it, nobody has managed to get inside yet? Did you put a harder limit on wrong access attempts?

Just as a matter of principle, I am allowing only three wrong attempts from the same user and also from the same host, and have a 10+ hour delay before they can try again. I also blacklist after being blocked only 3 times.

I don’t have any addresses blacklisted yet, but I just raised the barrier about two weeks ago. My six sites with BWPS installed pull a total of over 200 unique visitors per day.

Hi Ali1370

I am no expert, but try this:

First, I assume you do not have an SSL Security Certificate for your hosting on your site. If you do have the SSL installed, then I have no experience here.

If you do NOT have SSL installed, do the next steps.

If you DO NOT KNOW if SSL is installed or not, assume that it is not and do the next steps.

– Go to the Security Settings and select the section called “SSL”

– Make sure the first box “Enforce Front End SSL” is set at “Off”. If it is not at off, change the setting to “Off”

– Just to be sure, uncheck the other two boxes (“Enforce Login SSL” and “Enforce Admin SSL”)

– Save by clicking the “Save Changes” button at the bottom.

– Item 21 on the Dashboard should be in blue font.

That is all we can do here, if you still get the message, then that is above my level of competence! ??

Well, I went back to the other sites, and upgraded them to 3.4.8 to see what is happening, and discovered that all except for the one can use version 3.4.8 with no problems. I must have a conflict of some sort with the one site. More research is required… ??

P.P.S. There were no problems with this function with the previous plugin version 3.4.7, and my 7 other sites are still using this without problems.

Hello,
I just upgraded the plugin to 3.4.8 and I cannot address any posts from the home page.
Situation:
– HostGator Apache hosting
– Win 7 (does the same thing with XP on different machine)
– Firefox 18 latest and IE 9 latest have same results
– https://trakehnertube.com/
– WP 3.5.1
– Theme: Covert Video Press 1.4 (but does the same thing with WP 2012)
– Plugins on or off makes no difference.
– Also tried the plugin development version from about 20 minutes ago (midnight GMT)
– Isolated the problem to the Ban Users box “Enable Default Banned List” – check the box and confirm – problem, uncheck the box and confirm – no problem.
– The error message is “Not found on this server. Plus a 404 error trying to use an Error Document to handle the request.”

Hope you can fix it!

Jimmy Craig

P.S. The box is unchecked now so my viewers can see the site!