I Keep getting locked out of Wordpress

Category: Wordpress

bayinghoundales
Asked:
2013-09-09 2:14 pm EST

Hits: 1,484
I've installed security plugins, followed every article on here about securing my wordpress installation and I still get locked out several times a day. This is getting out of hand, is there anything that can be done so this doesn't happen? It's happening more and more frequently. I'm all up to date on WP, themes, and plugins.

You must login before you can ask a follow up question.

You must login before you can submit an answer.

I've done everything I can and I am locked out completely now. I've got a lot of work to do and I can't get on. Please help, I know its a third party application and you're just the host, but I'm at my wits end.
bayinghoundales
29 Points
2013-09-09 02:24 pm EST
So WTF to do????
dafins1961
0 Points
2014-01-05 09:34 am EST
Hello dafins1961,

You will need to lock down your WordPress installation as the answer below indicates. Once it is locked down, individuals will no longer be able to target your site with brute force attacks and the server will no longer need to lock down your WordPress site to protect you.
JeffMa
7,372 Points
2014-01-06 09:40 am EST

OTHER ANSWERS

0

johnpaulb-imhs1
Staff
7,266 Points
2013-09-09 4:12 pm EST
Hello bayinghoundales,

Thank you for your question. We definitely understand your frustration, since the Wordpress attacks have caused a lot of trouble for us too.

If your WordPress admin access has been blocked because of the recent WordPress wp-login.php brute force attack affecting multiple web hosts, adding your IP address to the .htaccess file should allow you back in (you can also wait 20 minutes for the lockout to stop).

This is part of our full article on the Wordpress brute force attacks.

If you still cannot get into Wordpress after adding your IP address to the .htaccess file, an additional security plugin may be interfering. You can troubleshoot this by renaming the plugins folder.

If you have any further questions, feel free to post them below.
Thank you,

-John-Paul

You must login before you can post a comment about this answer.

Hi there. I've already made changes to my htaccess file to help prevent these, and it was working just fine - until another attack happens (or so I'm assuming). Then I'm locked out again for another 20-25 mins or so. Are you doing anything to stop these attacks or are we just going to have to keep tolerating this?
writtenmagic
3 Points
2013-11-30 10:08 pm EST
Hello writtenmagic,

The message regarding the Wordpress admin being locked is actually our effort to protect you as without this, these attacks cause either your password to become compromised, or the servers to become overloaded due to the severity of the attacks.

Your best protection against your Wordpress admin becoming locked is to block based on IP within your .htaccess file. If you are blocking based on referrer, it can still become blocked depending on how the attack comes in. The following article will assist you in locking down your Wordpress site based on IP:

Lock down WordPress admin login with .htaccess
JeffMa
7,372 Points
Staff
2013-12-02 10:14 am EST
Many sites require multiple logins from multiple locations, coffee shops, on the road, hotels etc. This is not a viable security solution whatsoever.
jeffkee
13 Points
2014-01-13 3:12 pm EST
0

Jonathan_Kramer
2014-02-10 2:14 pm EST
I have called in no less than four times asking that you NOT lock down my site. I've already changed the admin username and used a strong password. Four times you have told me that you would/you did take off the nanny, but again it appears. In every other respect I've been satisfied with InMotion for several years, but now I am now OFFICIALLY UNSATISFIED with InMotion. This lock-out nonsense is enough to have me move my VPS to another host. Can't you guys deal with this?

You must login before you can post a comment about this answer.

Hello Jonathan,

I apologize for the issues you're having on your VPS regarding our automated WordPress ModSecurity protection. I've gone ahead and disabled specific ModSecurity rules for your websites that trigger our WordPress admin blocks.

I would recommend reviewing WordPress logins on your server.

The problem isn't so much just that you need to use a strong WordPress password, but also that you're limiting access for malicious users to even attempt to guess your password in the first place.

Right now you have malicious users brute forcing your WordPress admin login pages. Basically they are just guessing a password again and again till they get in.

I see that you have the WordFence plugin installed, but it's important to note that in some instances because WordPress plugins have to rely on running PHP code, while under attack it can cause your server to spike, which you can take a look at using some advanced server load monitoring tactics.

Today you've had over (6,060) POST attempts to your wp-admin.php script on your various WordPress sites, from (1,950) unique IP addresses. Of those (1,925) had fewer than 10 login attempts, so even if you were blocking unwanted users from your website each time they had a failed login, you're going to quickly build up quite a large list of blocked users and all the while they are still going to have some successful attempts at guessing your WordPress login credentials

If you do something like password protect the WordPress wp-admin directory and wp-login.php, then you'd be preventing all those bots from even having an attempt to open up a connection to your WordPress database to check for a valid user login at all.

Anyways, you shouldn't have our internal ModSecurity protection kick in again now on your VPS. I'd definitely recommend looking at implementing some form of manual .htaccess protection if you notice your server usage climbs when under attack from using WordPress security plugins.

- Jacob
JacobIMH
9,521 Points
Staff
2014-02-10 6:28 pm EST
Like this Question?

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!