Home › Forums › BulletProof Security Free › User Account Locked – User Account Locked Repeatedly, User Account Locked Every Hour
Tagged: user account locked, username locked
- This topic has 46 replies, 13 voices, and was last updated 3 years, 2 months ago by AITpro Admin.
-
AuthorPosts
-
ClownfishParticipant
I have a script/bot which is blocking access to the user account every hour. This means I am unable to log in at all. Can someone suggest the best way to handle this? I am a WP and BP security virgin, so please be as specific as possible. I see that I can log in through C-Panel and deactivate the htaccess, then log in and reinstate BP with new settings, but how will this help stop this bot altogether? Any advice appreciated, but please be gentle. I am not experienced and short answers which would make sense to experienced people, may not make sense to me.
Thank you in advance….
AITpro AdminKeymasterThe simplest thing to do would be to create another WordPress Administrator User Account that you ONLY use for logging into your website. NEVER use this Administrator User Account to Post anything on your website and ONLY use it for logging into your site. By never using this User Account to Post anything on your website the Author name for this new Administrator User Account will never be displayed publicly anywhere on your website.
If you are currently unable to login to your site then use the cPanel file manager tool (may be named slightly different) and rename the /bulletproof-security plugin folder to /__bulletproof-security. The WordPress plugins folder is here: /wp-content/plugins/. Login to your WordPress website then rename the /__bulletproof-security plugin folder back to /bulletproof-security. At this point create your new Administrator User Account. You can either leave your other Administrator User Account locked or you can unlock it if/when you want to create a new Post on your website.
Automated Brute Force Login attacks by spambots and hackerbots are a regular and ongoing type of website attack. The volume and frequency of Brute Force Login attacks are steadily increasing and will continue to increase. Brute Force attacks make up somewhere in the neighborhood of 85% (probably more like 90% to 95%) of the total of all types of ongoing website attacks these days. BPS Login Security & Monitoring protects the WordPress Login page from Brute Force attacks, but if your username is publicly known/displayed or can be harvested by automated bots then your user account may get locked very frequently.
What to do if your User Account is being locked repeatedly:
BPS Pro: Important Note: These additional Brute Force Login attack protection methods below are for BPS free plugin users only. BPS Pro includes JTC Anti-Spam|Anti-Hacker, which already blocks 100% of all automated hackerbot and spambot Brute Force attacks so that user accounts will not be locked repeatedly.BPS free: Additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
http://forum.ait-pro.com/forums/topic/user-account-locked/
http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/
http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/ClownfishParticipantHi,
I appreciate your quick response. I have created a new Admin User account. How do I lock the old user account? Sorry to be so dim…
AITpro AdminKeymasterI was under the assumption that, that User Account was already locked by failed login attempts by the hacker/spammer bot that is attacking your Login page. What exactly does this mean – “I have a script/bot which is blocking access to the user account every hour.”?
ClownfishParticipantHi,
Told you I was dim didn’t I…. Of course its already locked and will leave it that way. Thanks so much for your help. Greatly appreciated!
AITpro AdminKeymasterha ha ha Just wanted to make sure that my interpretation of your statement was correct and not off in left field. 😉 Yep you might as well leave that other account locked.
ClownfishParticipantHi again,
Further to this annoying issue, the lockout log gives an IP and a User hostname. Is there a way I can blacklist this moron?
AITpro AdminKeymasterYou can certainly try, but typically spammers and hackers have millions of IP addresses and hostnames that they can switch to. This is typically completely automated in the attack scripts that they use. ie “if IP address X is blocked use IP address Y…..”. My advice is try to block 3 octets of the IP address as shown in the link below. If the hacker/spammer switches to another IP address range/subnet then block 3 octets of the IP address. If the hacker/spammer switches to another IP address then you know you are dealing with an automated hacker/spammer script that will continue to change IP addresses if you block them and you should not continue to waste your time on this.
http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-block-access-to-files-by-ip-address/
Blocking IP addresses using CIDR blocks (block entire country IP address ranges)
http://forum.ait-pro.com/forums/topic/htaccess-block-ip-address-range-cidr-ip-address-range/Other similar / related IP blocking topics
http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/ReesaParticipant[Topic has been merged into this relevant Topic]
Hi,I purchased the Pro version but it seems the free version is a lot easier to use on my clients’ sites. But in at least one website, I deactivated BPS Free because they were getting way too many Login Security lockouts. What can be done to allow rightful users to login? None of the troubleshooting tips help.
AITpro AdminKeymaster@ Reesa – See this forum Reply in this same forum Topic: http://forum.ait-pro.com/forums/topic/user-account-locked/?view=all#post-12634 for things that can be done for BPS free users. BPS Pro has JTC Anti-Spam|Anti-Hacker which blocks 100% of all automated logins/login attempts.
Steven YoderParticipantHello AITPro Admin: I’m a BPS free user and have had the same trouble with being locked out for a couple of days at a time from my account (am grateful that BPS is blocking these attacks though). Just a question about the advice above: <<create another WordPress Administrator User Account that you ONLY use for logging into your website. NEVER use this Administrator User Account to Post anything on your website and ONLY use it for logging into your site>>.
However, I’ve previously used my default user account (named “admin”) to put up posts on the site. So even if I create another account that I never use to post, won’t the bots just keep attacking my account using the “admin” username that’s out there at the bottom of what I’ve previously posted, causing me to continue to be locked out? Thanks a lot.
AITpro AdminKeymasterYes, you are correct. The default WordPress “admin” user account is the first user account that all hackerbots and spambots try. You need to create a new WordPress Administrator user account, log out of your site, log into your site with that new Administrator user account and delete the WordPress default “admin” user account. VERY IMPORTANT! Make sure you associate all content to your new Administrator user account or your content (Posts and Pages) will be deleted.
Paul YoderParticipant[Topic has been merged into this relevant Topic]
I’ve had a couple of periods lasting 2 days in which a hacker has tried to log in repeatedly to my site. As a result, BPS locks the account, which is great. Except that it also prevents me from getting in, so I’d like to prevent this problem in the future. I see here http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634 the recommendation that I create a second WordPress administrator user account (separate from my user account named “admin”) that I use only to log into my website and never use to post anything.However, I’ve previously used my “admin” account to post things to the site. So even if I create another account that I never use to post, won’t the bots just keep attacking my account using the “admin” username that’s publicly visible on the site? Can I delete or mask the “admin” username on the site so the bots can’t see it and use it to attack?
I’m very new to BPS, so if I’m not understanding something basic, would be grateful for an explanation.
AITpro AdminKeymasterYes, you want to completely delete the default WordPress “admin” user account because that is the first user account that all bots try to brute force attack. See this Reply in this same forum topic for more info: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-25925
Paul YoderParticipantThank you!
-
AuthorPosts
- You must be logged in to reply to this topic.