• Over the past week or so, I’ve had repeated alerts from WordFence that a user with IP address xx.xx.xx.xxx has been locked out, due to repeated attempts to log in with an invalid user name/password. This also locked ME out of my own site, and I was unable to get into the site, even with the admin email function. I understand that’s a separate issue, but interestingly, I do get the WordFence alerts at the same email. Not sure why the admin lock-out bypass is not working properly.

    Once I was able to log-in, I changed the path from wp-admin to another directory, using a plug-in. When I log in to the back-end, the SAME IP address is reported as having logged in successfully. It maps to a googleusercontent.com IP, which is definitely not me, and matches the unsuccessful attempts to hack the admin.

    So why is WordFence reporting that I am logging in using an IP address that continually tries to log-in, and is clearly not MY IP address?

    Additionally, if I block that user IP at the host, it blocks me from logging in as well.

    • This topic was modified 1 year, 9 months ago by jameswparker.
Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @jameswparker, thanks for your detailed message and question.

    It sounds like an issue we see fairly often where every visit to your site is registering as the web server’s IP address. For this reason, your successful logins are coming from the same IP as malicious visits. When an attacker or bot is blocked, it’ll cause a block for all traffic including yourself.

    Take note of your own IP on your main device: https://www.whatsmyip.org.

    Once logged in as an admin, head over to Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs and reference the area under that section that says Detected IPs and Your IP with this setting. See if any of the options there when picked accurately reflect your IP. If one does, don’t forget to hit the SAVE CHANGES button in the top-right after you’re done.

    If you’re using Cloudflare, you will most likely need to select “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.

    I hope that helps you out!
    Peter.

    I am also having the pain from similar issue. The problem what I have identified is word fence is not detecting current IP address. Siteground recently moved websites to new datacenter after that this whole issue started happening. I tried to connect siteground, they let it go by wordfence is a third party plugin, we cannot help. The current ip address detected by wordfence is of last datacenter of siteground. No idea how to fix it.

    above mention trick did not give my ip address

    Please help.

    • This reply was modified 1 year, 9 months ago by garydubb25.
    Thread Starter jameswparker

    (@jameswparker)

    Gary, you should make sure that your DNS provider has the new IP address for Siteground. I did chat with a CSR on Siteground. My DNS host is different from my web host, so I needed to edit my A record at the DNS host. I am waiting to see if that helps. It may be a WordFence bug.

    The solution suggested above does not work. We are also using Siteground, who moved our data to new “Servers”. Since the new servers were running May 30, Wordfence blocked ALL users since it is only registering one IP address for all activity. All Admins, and Contributers were blocked. Siteground does not appear to honour any of the 5 selections available for “How Does Wordfence Get IPs”. Each Selection did NOT change the IP address to show my correct IP address, instead it only renders the same one for all activity. This renders Wordfence unusable, and will only continue to block users. Does Wordfence have any plans forward for this, since Siteground is one of the largest WordPress hosting providers?

    I am working on the reason and solution to this problem. I will update my comment later, once it is fixed.

    This started happening on a client site 1 week ago. In this case, the domain name registrar (Go Daddy) is using the web host’s (Siteground) A-Record. Wordfence is identifying that A-Record as my IP (as well as anyone else trying to log in).

    It’s not exclusive to Wordfence either. I disabled Wordfence and installed All in One Security, which also identifies the A-Record as the current logged-in user IP. AIOS is at least able to recognize my actual IP.

    • This reply was modified 1 year, 9 months ago by askdesign.
    Thread Starter jameswparker

    (@jameswparker)

    That’s what’s happening to me as well. At some point, I’m going to transfer my domains from GoBadly to SiteGround, and perhaps that will resolve the issue. It should be easy to test by creating a domain and site at SiteGround and installing WordFence, then logging in, or attempting to crack in.

    I just discovered one of the reasons why this may have happened.
    Siteground’s A-record changed. The client received a notice about it, but didn’t forward it to me! I updated the A-record at GoDaddy (Domain Name provider), and everything seems to work correctly now. I’ll continue to monitor the situation.

    • This reply was modified 1 year, 9 months ago by askdesign.

    @banja @jameswparker , I found this issue is related to the local network. you need to flush your local network DNS. Our local network was referring to the old data center of Siteground.

    https://snipboard.io/RVQsq4.jpg

    If you see the different detected IP address, compared with local. This is the most likely case(Flush your DNS). During Siteground migration, they change every record in the zone editor with the latest IP address.

    let me know if it works.

    @garydubb25 Hi there, Just tried the fix, and it still shows the DNS setting of the hosting domain. Siteground is moving their customers from their own servers to the Google Cloud platform. As such, when one goes to login – you are rerouted through their own doorway into the website. IE – everyone routes directly to the IP address of the website itself, thus dropping the ability to identify the originating IP address. Thus everyone that attempts to get in, valid, or not, shows the same IP address. This was why all legitimate users were blocked, due to a brute force attack of trying to log in using invalid user names. WordFence blocked the IP address of the activity, thus blocking actual legitimate users. So I will need to open a ticket with Siteground, to determine a workaround. They have put the gateway in place, so they need to confirm that they can do the monitoring of hack attempts in pace of WordFence. Ughh

    Thread Starter jameswparker

    (@jameswparker)

    banja – my domains are not hosted at Siteground — I had to go to the domain registrar and edit the A record. I also changed the login path to wp-admin, so that brute force attempts to wp-admin will get redirected to the home page.

    I logged in as admin this morning, after a WordFence patch, and in the notification email, it reported my IP address correctly.

    So maybe WordFence found a fix. i did not flush my DNS cache as garydubb suggested — not sure where you’d do that? But it appears that the WordFence notifications are working properly again.

    The info on SiteGround moving servers to Google Cloud would explain why I was getting the same IP for both brute force and my own log-ins, and was getting locked out. That’s useful info. It really is a SiteGround issue, as hacker IPs should not be reported as the main gateway for legal users/

    @banja I think, it should be Previous datacenter IP address stored in word fence plugin. Deactivate plugin. Do not forget to delete all data and tables and then reactivate it. I know this is painful but would be worth it.

    @jameswparker I am glad information helped you.

    I experienced the same issue, where all traffic was being reported as the same IP address. I’m on SiteGround and I also use Cloudflare. Thanks to everyone’s direction here, I checked the DNS settings in Cloudflare and the A record for our site (in Cloudflare’s DNS settings) was pointing to same IP address that was being reported on all site traffic. I believe this was the old IP address for our site before SiteGround moved our site to a new server. I changed it and I believe the issue should not be resolved. Hope this helps!

    • This reply was modified 1 year, 9 months ago by shaunmehr.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @jameswparker, this thread sure took off!

    I hadn’t heard of the server migrations mentioned by multiple customers here on this host, but if you’re now able to find the correct IP in Wordfence by changing the settings mentioned, that’s great news.

    Unfortunately we aren’t ever given advance warning of changes such as this, but if something needs to be changed at the domain or web host, they should ideally make you aware as Wordfence won’t be the only plugin detecting IPs sent by the server in this way.

    Let me know if there are any outstanding issues.
    Peter.

    Thread Starter jameswparker

    (@jameswparker)

    Siteground was very upfront about the migration to the new host servers, and supplied both IP address and URL when the changeover occurred. They also have temporary redirects in place for those (like me) who have domains registered elsewhere. The WordFence IP identification does seem to be working now that the A record was changed.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Admin Lockout IP Address’ is closed to new replies.