Home › Forums › BulletProof Security Pro › Login Security Email Alert – A User Account Has Been Locked
- This topic has 7 replies, 1 voice, and was last updated 10 years, 11 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
Email Question:
I got notifications from BPS that someone tried to login and got locked out. Very good, it was not me.
Can you shed some light on how they got my username? I have never encountered this before. Can I safely look up the IP address in the address bar and see who this was without sending them anymore info that could be used against me.
Will be doing more research on my own, just wanted to see if you folks had any detailed insight.
Thanks – Dave
AITpro AdminKeymasterCheck your User Account Profile to make sure that the “Display name publicly” setting is not the same as your Username. If it currently is the same then what I recommend is that you create a new Administrator User account and make it difficult to guess (Example: B457Y2WE4X), create a different Nickname that you can use for the “Display name publicly” setting and display this Nickname publicly instead of your Username. After you have created the new Administrator account, delete your old Administrator account. Either way you need to create a new Administrator account and delete the old one.
AITpro AdminKeymasterEmail Question:
Sensitive/Private data/information has been removed.
I, periodically receive these “A User Account Has Been Locked” notices, which are good. I want to receive these. But I just want to understand them better and wanted to ask if you could clarify what I’m seeing.
In this first one, for example:
===========================
A User Account Has Been LockedTo take further action go to the BPS Pro Login Security page. If no action is taken then the User will be able to try and login again after the Lockout Time has expired. If you do not want to receive further email alerts go to S-Monitor and change or turn off Login Security Email Alerts.
Username: xxxx
Status: Locked
Role:
Email: xxxx
Lockout Time: May 21, 2013 3:52 am
Lockout Time Expires: May 21, 2013 4:22 am
User IP Address: 188.143.234.14
User Hostname: 188.143.234.14
Request URI: /wp-login.php
Site: xxxx===========================
In the above example, I’m curious why the username is xxxx (meaning .. did the person try logging in using the username of xxxx or was the lock out message sent to the user xxxx? I find it odd that someone would try to login using this username (since it wasn’t me who got locked out)? I was sleeping at this time. In other programs I’ve used, it typically indicates the “username” that the person attempted to use when trying to login, which got locked out. But since I don’t think someone used xxxx as the username to try and log in, I was curious what “Username: xxxx” actually means in the email message. I see the IP address, and I’m presuming that this IP was locked out during this period. But I’d like to know what username or usernames they attempted to use. Can or do you track and log this?
In my second email notice, I saw:
===========================
Username: xxxx
Status: Locked
Role: administrator
Email: xxxx
Lockout Time: May 21, 2013 3:52 am
Lockout Time Expires: May 21, 2013 4:22 am
User IP Address: 188.143.234.14
User Hostname: 188.143.234.14
Request URI: /wp-login.php
Site: xxxx===========================
Questions. Why did this one indicate the ROLE, but the previous one didn’t.
I didn’t try to log into this site, when it got locked out. (I was sleeping at this time.) Again, I don’t think anyone would have used xxxx as the username when trying to log in. But I want to confirm this.
Can you help me understand the information that is sent to me in the email for this notification? And, is it possible to include in the email, the username or usernames that someone who gets logged out, attempted to use when they got locked out? (Even the passwords they entered would be great to know.
Note: When I looked up the IP, it seems to be from Russia.
Can you let me know?
Thanks,
GaryAITpro AdminKeymasterFirst Off, you need to change your Administrator User Accounts and NOT display them publicly and delete your old Administrator User Accounts. If you display your Administrator User Accounts publicly than anyone will know what they are and can attempt to login using your Administrator username/User Account.
Yes, someone did user your username to login. You need to create new Administrator usernames and not display them publicly and delete your old Administrator User Accounts. Example of a new secure Administrator username/User Account: X45TGW2B9H5.
The User Accounts you created were very guessable: ie they used your website domain name as the user account name. A hacker will try user accounts that contain the domain name as the user account second after trying “admin” and “administrator”.
BPS Pro Login Security does not do anything based on IP Addresses because IP addresses can be easily changed/faked/spoofed. IP addresses are not and never will be a reliable way to check or lockout a user account.
Example of trying to block or lockout by IP address: hacker uses IP address 10.100.100.1 to login to your site. IP address 10.100.100.1 is blocked/locked out. hacker switches to IP address 10.100.100.2, 10.100.100.3, etc etc etc etc.
If the Role was not captured in the first lockout then you are using some kind of custom Role plugin that is using some method of creating custom Roles that is not using WordPress standards. ie a junky/hack/poor method to create a custom Role instead of using WordPress standard functions to do this.
Capturing bogus passwords is not something that will be added to BPS Pro Login Security because this does not have any value.
AITpro AdminKeymasterEmail Reply to First Email Question Posted:
I did exactly what you said and deleted the old admin account. Just got another attack and it had the new actual username (hidden) , not the public one I assigned to it when I created it. Is this significant? I know for a fact I created the new admin account and set a different public display name.
AITpro AdminKeymasterCheck that your Theme is not displaying the admin name in author URL’s in your Theme’s template files. See this Forum link below.
AITpro AdminKeymasterEmail Reply to second Email Question Posted:
Can you explain the comment where you said: “you need to change your Administrator User Accounts and NOT display them publicly”. I never new or realized I was displaying the WordPress user/login names publicly. How do I go about “NOT” displaying them publicly?
Can you explain?
AITpro AdminKeymasterTo create a different publicly displayed username edit your User Account Profile.
Username: Create a secure username. Example: X45TGW2B9H5
First Name: Pick something random that will work for your purposes. Example: AITpro
Last Name: Pick something random that will work for your purposes. Example: Admin
Display name publicly as: Choose anything except for your actual username/User Account.
Check that your Theme is not displaying the admin name in author URL’s in your Theme’s template files. See this Forum link below.
-
AuthorPosts
- You must be logged in to reply to this topic.