User Account Locked – User Account Locked Repeatedly, User Account Locked Every Hour

[Jesus DM]

[Topic has been merged into this relevant Topic]
Hello, I’ve installed BPS plugin on my WP sites, and one of them is being attacked, I’m constantly getting this email from the plugin: A User Account Has Been Locked

To take further action go to the Login Security page. If no action is taken then the User will be able to try and login again after the Lockout Time has expired. If you do not want to receive further email alerts change or turn off Login Security Email Alerts.

What to do if your User Account is locked and you are unable to login to your website: Use FTP or your web host control panel file manager and rename the /bulletproof-security plugin folder name to /_bulletproof-security. Log into your website. Rename the /_bulletproof-security plugin folder name back to /bulletproof-security. Go to the BPS Login Security page and unlock your User Account.

What to do if your User Account is being locked repeatedly: Additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

Username:BLOCKED
Status: Locked
Role: administrator
Email:BLOCKED
Lockout Time: April 12, 2016 8:32 pm
Lockout Time Expires: April 12, 2016 9:32 pm
User IP Address: 37.213.9.30
User Hostname: 37.213.9.30
Request URI: /wp-login.php
Site: BLOCKED
==================
It’s always locked now, what can I do to stop this attack? And another question is why someone with an IP in Belorus is attacking me?
Thanks

[AITpro Admin]

@ Jesus DM – Click the link in the Login Security email alert for additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.

What to do if your User Account is being locked repeatedly: Additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

[WebRightNow]

Not everyone seems to realise that simply switching your admin account to a different username from “admin” isn’t enough to protect you from those hacking attempts which are getting you repeatedly locked out.

First of all, if your theme is set to display the author’s name for each post – as is usually the case – you need to either hide that everywhere (by removing the php function, NOT using CSS “display:none” which makes no difference to bots!) or make sure that:

1. each user has set a nickname which is different from their username;
2. each user is set to be displayed in the frontend by that nickname (“Display name publicly as”);
3. even then, most themes (incl. Twenty Sixteen) link the nickname to the author’s page, where the actual username is still shown – so you need to remove that function as well.

I used to do this for every new website and I thought it was enough to keep usernames safe. Unfortunately, there is a fundamental security flaw in the default WordPress setup which I had overlooked: bots can still get hold of your usernames simply by adding some code at the end of your URL. The code is ?author=1. For example: forum.ait-pro.com/?author=1. This will bring up a page showing the first author’s username (usually the admin who built the website). Even if that author no longer exists, they can change the last digit to 2, 3 etc. and get the usernames of anyone who has ever posted on your site.

Now, I know previous posts here recommended never using an admin account to post anything, and only use lower level access users to post, but in reality this can be very impractical. I have several websites with multiple admin users (because they all need access to certain plugins) it’s too complicated to expect them all to have two separate accounts, one for posting and one for admin purposes. In reality, they want to be able to log in once, make their posts, carry out their admin tasks and log off. Surely this scenario is not uncommon especially with large, collaborative websites and blogs.

I keep expecting the next version of WP to remove the ?author loophole, but it hasn’t happened yet, presumably because it’s used by some templates – but it really ought to be looked into. Even BPS Security’s .htaccess file doesn’t address this particular issue, which is actually really easy to correct. I do it by adding this bit of code at the end of my .htaccess file:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

This redirects those URL queries to the index page, so that bots are no longer able to grab your usernames and start having a go at guessing their passwords – which is what causes some accounts to keep being locked out.

One point to add: if you have already been locked out even once, all of the above measures won’t be enough as the hackers already have your username, so they’ll just keep trying. You need to implement the above, then change the affected usernames to something different, and finally delete the affected username, remembering of course to assign their posts to the new user.

Hope this helps someone.

[AITpro Admin]

@ WebRightNow – We created some Bonus Custom Code here that protects against Author Enumeration:  http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/  The reason this code is Bonus Custom Code and not standard BPS htaccess code and the same reason that WordPress will never remove this known issue is simply this – Some folks want to display author names and other folks don’t.

[WebRightNow]

Sure, I get that – but IMAO if you tell WordPress “Display publicly as…” it means that you want to always display your nickname, not your username – at least that’s what most folk would assume. Yet that’s not what happens, because the URL generated by the ?author query contains the username. Instead, the WP code should be changed to make sure that, for any user who has decided to be displayed publicly by their nickname, the author page’s URL (and all other URLs related to authors) also use the nickname, not the username. This would solve this whole issue. Again, that’s just my opinion. Obviously this is not for AITpro but for WP developers to address. Thanks for the custom code BTW, it’s probably better than the one I use.

[AITpro Admin]

@ WebRightNow – Yep, I agree with you 100% on all of your points. 😉

[kermit]

Hello there, i have the same issue as the original author. Am i correct to say that i should create a couple of admins, for safe measure. Then delete the admins that are being attacked by the bots, but also transfer the content that was created by them, to one of the new admin credentials? This way i keep all the blog posts.

Just looking for some reassurance here, thank you for your help.

[AITpro Admin]

@ kermit – This Reply in this same forum topic has the additional security measures that you are looking for:  http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634  99% of all hacking and spamming is automated using hackerbots and spambots. Using the Author Enumeration Bot Probe Protection Bonus Custom Code will prevent those bots from finding your Author/User Account names and automatically using them to auto-register, auto-login and auto-post on your website.  Creating another WordPress Administrator user account that you ONLY use for logging into your website and NOT for posting content will prevent your Author/User Account name from being publicly displayed on the frontend of your website, which a lot of themes and plugins do automatically.

[kermit]

Hi there, where do i find Author Enumeration Bot Probe Protection Bonus Custom Code? And when i get the code, where would it go? Would you be able to let me know step by step please?

Thank you for your insight.

[AITpro Admin]

@ kermit – The link is in the link that I posted above.  Here is the direct link:  http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/  The Bonus Custom Code forum topic has step by step instructions to add the Bonus Custom Code to BPS Custom Code.  All Bonus Custom Code forum topics have step by step instructions to add Bonus Custom Code and also help information about what the Bonus Custom Code does:  http://forum.ait-pro.com/forums/topic-tag/bonus-custom-code/

[kermit]

Ok thank you, we will have a goosie gander! 🙂

All the best.

[kermit]

Hi there, should i remove/delete the admins that were getting attacked by the bots?

Thank you for your help.

[AITpro Admin]

If it were my site I would create new Administrator user accounts and delete the old Administrator user accounts.

[Dean McNamara]

Ok, so on one of my sites I created a new account as an admin account.  The old admin account that I had also used for posting, I reduced to an account with no privileges and just left live.  The new admin account has not been used for any posting and yet it is now also being locked out by the brute force logins.  Is this normal?

[AITpro Admin]

@ Dean McNamara – Since you have BPS Pro, you only need to turn On JTC Anti-Spam|Anti-Hacker, which will stop 100% of all automated Brute Force attacks and prevent your user account from being locked repeatedly.  Note:  If you are using another plugin or Theme the overrides/negates JTC then you can use some of these other methods below.

What to do if your User Account is being locked repeatedly: Additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

[Author]

Posts