User Account Locked – User Account Locked Repeatedly, User Account Locked Every Hour

[Dean McNamara]

Thanks.  I am currently only running the free version on some sites (that were lower priority, and because bpspro scares me).
However, most of them have now been picked up by the hacker bots and are in endless lockouts.  I will have to upgrade them to pro. I just thought I would mention the fact that the hiding my admin user didn’t appear to work.

[AITpro Admin]

@ Dean McNamara – It should work for BPS free as long as you do all the other things listed in the link below. Typically other plugins or themes expose WordPress usernames on the frontend of your website. Additionally usernames can be found by bots by using Author Enumeration. JTC blocks the automated bots themselves. So there is no need to do any/all of the other things listed in the link below.

What to do if your User Account is being locked repeatedly: Additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634

[x]

What if the name I use to login does not display the same as the one which shows when I post, but is the same one I use to login as administrator?

[AITpro Admin]

@ x – If you use a WordPress user account to post a Post or Page or Comment then most likely the author name/username is exposed publicly. If you only use a WordPress user account to login and never use it to post a Post or Page or Comment then most likely the author name/username is NOT exposed publicly.

The username/author display name may be different from the actual username/author display name, but probably the author URL/slug is your actual username/author name.  Use this WP json URL: http://www.example.com/wp-json/wp/v2/users on your website to see what is displayed publicly (see example json results/response below).  We have created some Bonus Custom Code to block/forbid getting the author URL/slug using wp json, but have not officially posted it in this forum yet.  The code is below. We are using the WP JSON blocking code on this forum site, but not on any of our other sites yet. Note: There are other ways for bots to harvest/mine/find usernames/author names.

Example wp json results/response (id, author link and the slug have had x’s added in place of the actual author/username):

[{"id":xxxxx,"name":"AITpro Admin","url":"","description":"","link":"https:\/\/www.ait-pro.com\/author\/xxxxx\/","slug":"xxxxx",

This code goes in this Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE

# WP REST API JSON REQUESTS
# Block/Forbid GET & POST Requests to /wp-json/wp/v2/users
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/users [NC]
RewriteRule ^(.*)$ - [F]

[Dianne Trussell]

I’m tearing my hair out by now. I’m at my wit’s end and need some plain English help. Asking my question on the BPS Free forum keeps redirecting me here to the Pro forum, so there’s nothing I can do about that feature of your website.

Your instructions to rename the BPS folder in cpanel (which also come in the automated email notification from WordPress “BPS Login Security Alert”) do NOT work in my case. What happens is that as soon as I “renamed /bulletproof-security plugin folder to /__bulletproof-security” (in public_html -> wp-content -> plugins), the file disappeared from cpanel !!! I did a Search for the folder in cpanel and there is nothing.

(Also, I assumed that “Login to your WordPress website” means login to your WordPress admin dashboard? Which I did but BPS was gone from there, of course).

How can I rename the BPS security folder in cpanel back to its original name when it’s GONE from cpanel?

I have 2 other up to date, working, captcha plugins on my site but still keep getting endless lockouts.

I do NOT have a standard username on my wordpress account or dashboard – got wise to that and changed it quite a while ago after doing a web security course.

So I tried to download BPS Pro and pay money I can’t afford, but it asked me to login and then rejected my correct password. So I changed my password…. here I am 2 hours later still going around in circles with forum ‘answers’ and instructions that don’t work.

I am totally stuck. I would like to keep using BPS, but will have to ditch it if it keeps causing problems and the solutions don’t work and I can’t get appropriate simple help.

PLEASE HELP!

[AITpro Admin]

@ Dianne Trussell – This forum site has 2 forums for both BPS Pro and BPS free.  This particular Topic is under the BPS free forum, but it does not really matter where a Topic is posted as long as the issues/problem is relevant.  ie some BPS free questions are merged into BPS Pro forum Topics since they are relevant to each other.

I cannot answer your cPanel question because that would have something to do with your web host cPanel application and not anything related to either BPS free or BPS Pro.  That is a question you would need to ask your web host about.  Most likely when you renamed the /bulletproof-security/ plugin folder the folder order changed because you changed the name of the folder and the folder is now listed at the top of the folder list you are viewing.  Folders are listed alphabetically in descending order.

I do not see any BPS Pro purchases made using your name.  Did you use another name/PayPal account name to purchase BPS Pro?  Whether or not you choose to purchase BPS Pro really does not have any bearing on how to fix whatever problem is occurring.  You should only choose to purchase BPS Pro if you want to purchase BPS Pro and not for any other reason.

So in summary, I can help you with your BPS free plugin question, but before I do that take a look at these additional things that you can do to prevent your user account from being locked repeatedly:  http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634  Let me know if you need further assistance after looking at the additional things you can do in the link above.

[Sophie]

Thanks for all the information here – I have several WordPress websites / blogs (but I’m not super techie!) and I have noticed a massive attack on them all. So I changed all my “admin” usernames to different ones that should be fairly hard to guess, but now I’m getting attacks on those usernames too (even though they are not visible on the sites and blogs).

I recently created a whole new website and on purpose set up a username which should be pretty impossible to guess – also it is not the name I use to post anything, it is just the login username. And now I’m getting attacks on that username too!!!

Any tips, advice or suggestions on ways around this?

Many thanks!

[AITpro Admin]

@ Sophie Le Brozec – This Reply in this forum topic has some additional things you can do to protect publicly displayed usernames, not exposing author names/user account names, etc:  https://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634  Another thing you can do is add/install a CAPTCHA plugin since 99% of all brute force login attempts/attacks are automated with spambots/hackerbots and not by an actual person.

[Sophie]

Thanks! I’m not worried about the visible names as these aren’t the names used to log-in. So the CAPTCHA plug-in would mean I (and therefore any bot) would need to pass by CAPTCHA to enter the site? Just want to be certain I completely understood.

[AITpro Admin]

@ Sophie Le Brozec – What is visible to you (a human) on the frontend of your website’s posts and pages is not all of the data that can be harvested by bots from your website’s Source Code.  Bots harvest usernames/author names using various methods to harvest this data from your website’s posts and pages Source Code.  Unfortunately, it is a very common thing for plugins and themes to expose usernames/author names in your website’s Source Code using various WP functions that are intended to do just that.  So anyway if you add a CAPTCHA then any human logging into your site would need to type in the CAPTCHA and all bots would be stopped at the CAPTCHA because they are designed to automatically harvest your Source Code data, auto-register, auto-login and auto-post using that data the bot harvested.  This is a completely automated bot process.  A CAPTCHA stops bots at the CAPTCHA since they are not human and stops the additional automated things that bots do – auto-register, auto-login and auto-post.

[Sophie]

I really want to avoid my readers having to go through the pain that is CAPTCHA in order to comment – so is there a way to avoid the spambots but without using CAPTCHA? I’ve seen some people have a box that says things like “I am not a robot – tick me” etc. Would something like that work? I don’t mind if I have to use CAPTCHA to log in but I don’t want my readers to have to leapfrog over this to comment. Any ideas or suggestions? Thanks!

[Reesa]

The WP plugin Contact Form 7 will automatically create a form with the “I am not a robot” box you want. It’s called ReCaptcha.

[AITpro Admin]

@ Sophie – I believe there are several plugins that have/use the Google “I am not a robot” checkbox CAPTCHA.  Which plugins that offer that I am not sure.  So you would have to search the WordPress Plugin Repository to find them.

[jiguel]

Hi,

I have the same problem but I do not have the technical skills to login by ftp and follow those instructions to unlock my account.

Is there another way to unlock my account so I can log in to my wordpress account and publish content again?

Please let me know

[AITpro Admin]

@ jiquel – You can login to your web host control panel and use the file manager tool to rename the /bulletproof-security/ plugin folder.

[Author]

Posts