I've installed security plugins, followed every article on here about securing my wordpress installation and I still get locked out several times a day. This is getting out of hand, is there anything that can be done so this doesn't happen? It's happening more and more frequently. I'm all up to date on WP, themes, and plugins.
I've done everything I can and I am locked out completely now. I've got a lot of work to do and I can't get on. Please help, I know its a third party application and you're just the host, but I'm at my wits end.
You will need to lock down your WordPress installation as the answer below indicates. Once it is locked down, individuals will no longer be able to target your site with brute force attacks and the server will no longer need to lock down your WordPress site to protect you.
Thank you for your question. We definitely understand your frustration, since the Wordpress attacks have caused a lot of trouble for us too.
If your WordPress admin access has been blocked because of the recent WordPress wp-login.php brute force attack affecting multiple web hosts, adding your IP address to the .htaccess file should allow you back in (you can also wait 20 minutes for the lockout to stop).
If you still cannot get into Wordpress after adding your IP address to the .htaccess file, an additional security plugin may be interfering. You can troubleshoot this by renaming the plugins folder.
If you have any further questions, feel free to post them below.
Hi there. I've already made changes to my htaccess file to help prevent these, and it was working just fine - until another attack happens (or so I'm assuming). Then I'm locked out again for another 20-25 mins or so. Are you doing anything to stop these attacks or are we just going to have to keep tolerating this?
The message regarding the Wordpress admin being locked is actually our effort to protect you as without this, these attacks cause either your password to become compromised, or the servers to become overloaded due to the severity of the attacks.
Your best protection against your Wordpress admin becoming locked is to block based on IP within your .htaccess file. If you are blocking based on referrer, it can still become blocked depending on how the attack comes in. The following article will assist you in locking down your Wordpress site based on IP:
<a href="http://www.inmotionhosting.com/support/website/wordpress/lock-down-wordpress-admin-login-with-htaccess">Lock down WordPress admin login with .htaccess</a>
I have called in no less than four times asking that you NOT lock down my site. I've already changed the admin username and used a strong password. Four times you have told me that you would/you did take off the nanny, but again it appears. In every other respect I've been satisfied with InMotion for several years, but now I am now OFFICIALLY UNSATISFIED with InMotion. This lock-out nonsense is enough to have me move my VPS to another host. Can't you guys deal with this?
I apologize for the issues you're having on your VPS regarding our automated WordPress ModSecurity protection. I've gone ahead and <a href="http://www.inmotionhosting.com/support/website/modsecurity/find-and-disable-specific-modsecurity-rules" target="_blank">disabled specific ModSecurity rules</a> for your websites that trigger our WordPress admin blocks.
I would recommend <a href="http://www.inmotionhosting.com/support/website/wordpress/review-wordpress-login-attempts" target="_blank">reviewing WordPress logins</a> on your server.
The problem isn't so much just that you need to use a strong WordPress password, but also that you're limiting access for malicious users to even attempt to guess your password in the first place.
Right now you have malicious users <strong>brute forcing</strong> your WordPress admin login pages. Basically they are just guessing a password again and again till they get in.
I see that you have the <strong>WordFence</strong> plugin installed, but it's important to note that in some instances because WordPress plugins have to rely on running PHP code, while under attack it can cause your server to spike, which you can take a look at using some <a href="http://www.inmotionhosting.com/support/website/server-usage/advanced-server-load-monitoring" target="_blank">advanced server load monitoring</a> tactics.
Today you've had over (6,060) POST attempts to your <strong>wp-admin.php</strong> script on your various WordPress sites, from (1,950) unique IP addresses. Of those (1,925) had fewer than 10 login attempts, so even if you were <a href="http://www.inmotionhosting.com/support/website/security/block-unwanted-users-from-your-site-using-htaccess" target="_blank">blocking unwanted users from your website</a> each time they had a failed login, you're going to quickly build up quite a large list of blocked users and all the while they are still going to have some successful attempts at guessing your WordPress login credentials
If you do something like <a href="http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts" target="_blank">password protect the WordPress wp-admin directory and wp-login.php</a>, then you'd be preventing all those bots from even having an attempt to open up a connection to your WordPress database to check for a valid user login at all.
Anyways, you shouldn't have our internal ModSecurity protection kick in again now on your VPS. I'd definitely recommend looking at implementing some form of manual <strong>.htaccess</strong> protection if you notice your server usage climbs when under attack from using WordPress security plugins.