• Hi,

    I thinks that the website is under brute force attack since the last few months. Or other kind of attacks.

    PROBLEM DESCRIPTION:
    The problem is that when we try to login in the WordPress panel (renamed from the original wp-login.php) we can’t access because there is a message telling “Too many faileed login, try again in the next 8 hours”.
    I know this happens because of the Plugins security settings, but in the General Settings “Lockout White List” I have filled in my IP. The strange thing is that the same message happens even trying to login from a different PC with different IP or through a browser simulator.

    Any suggestion to avoid this really uncomfortable issue?

Viewing 11 replies - 1 through 11 (of 11 total)
  • I would check your htaccess file and see if your listed there. It looks like your username may be banned. You could search the itsec tables and delete any rows where you see your username and ip.

    Thread Starter snap-shot

    (@snap-shot)

    Hi,

    thanks for your suggestion, I will surely do that in the next emergency. For the last occasion, it was auto-solved after the hours of “being banned” passed.

    But now the doubt stays, how could this happen if:

    1) I have whitelisted my IP address
    2) The alert message of “coming back in few hours” was shown even from different dynamic IP devices tested through a cross browser simulator which uses machines in USA (I am in Europe). Those IP never tryed to log in that website before! This is strange.

    It seems like they have found a critical point to let iThemeSec go “crazy” and block eveybody and everything..

    Gal Baras

    (@galbaras)

    I’ve had a similar situation. The solution should be to give IP whitelisting overriding priority over user banning, me thinks.

    Thread Starter snap-shot

    (@snap-shot)

    Hi,

    the solution thought by @galbaras sounds good!

    Has anyone an idea on how to implement it?

    But the point maybe I dind’t explain so well is that it seems a bug because the website becomes:

    • blocked from every device and every IP address,
    • even from new IP visitors,
    • even before entering the username (so it is not the user banning feature)
    pronl

    (@pronl)

    @snap-shot

    By default the iTSec plugin locks a user or IP out temporarily for 15 minutes.
    Did you modify any of the default (lockout) settings ?

    Also “Too many faileed login, try again in the next 8 hours” is not a default iTSec plugin message. Did you change it (which is possible) ?

    If not, is there any other active plugin that may be at work here ?

    Thread Starter snap-shot

    (@snap-shot)

    Hi,

    I have changed:
    – Lockout Period: 60 minutes
    – Community Lockout Message: I have put a general error message not realting to security

    There is no other security related plugin or concerning with users management..

    pronl

    (@pronl)

    @snap-shot

    Ok, so where is that “Too many faileed login, try again in the next 8 hours” message coming from ? It’s not a default iTSec plugin message …

    Thread Starter snap-shot

    (@snap-shot)

    Well, probably I remember that I had changed the time after the last problem happened (that should have been 480 min) and probably the messaage also.
    What other details can I provide?
    Is the only chance wait for the issue to happen again?

    Gal Baras

    (@galbaras)

    If you get your password wrong a few times in a row, you should get locked out. You can play with the attempt number and the lockout period when you test and pick a time when you don’t actually need to do anything on the site.

    Thread Starter snap-shot

    (@snap-shot)

    Thank you Gal Baras,

    anyway I have never enterd a wrong password. The case is different, to be more clear for everyone who reads this thread, I riassume the problem to be solved.

    1. Somebody was trying to brute force the website (the iThemeSec Log showed many attempts)
    2. My IP address was already whitelisted, but I could neither access and got the locked out message
    3. The “locked out message” of “coming back in few hours” was shown even from different PC and dynamic IP devices tested through a cross browser simulator which uses machines in USA (I am in Europe). Those PCs had never tryed to log in that website before! This is strange.

    It seems like the hacker has found a critical point to let iThemeSec go “crazy” and block eveybody from every devices in the world.

    Any idea from the Plugin Support?

    This problem occurred two times during the past 3 months.

    Gal Baras

    (@galbaras)

    You may not have entered the wrong password, but someone else might have done it.

    Try testing it as above.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘iThemeS Security blocks me out even with IP white listed’ is closed to new replies.