Diagnosing unusual admin lockout

  • Resolved lukefive

    (@lukefive)


    5 years, 2 months ago

    We’ve been using WordFence more than two years on multiple sites. Today one of those sites locked me (admin) out. This WordFence email edited …

    A user with IP addr 000.00.000.000 has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: 'events'.
The duration of the lockout is 4 hours.
User IP: 000.00.000.000
User hostname: ip-00-00-000-000.siteground.com User location: Chicago, United States

    The obscured IP address is the server IP for our SiteGround account. Obviously I should have whitelisted early on.

    My question: How do I figure out what triggered this? I’ve been looking inside WordFence for a detailed log?

Viewing 6 replies - 1 through 6 (of 6 total)

  • I’m having a similar issue. I also use Wordfence on multiple client accounts and have just one on Siteground that is logging all live traffic with the site’s IP address – and shutting down the site. I just tried restoring default settings with no luck. I don’t want to whitelist the IP if all traffic – including bad – is being logged with that IP.

    I did reach out to Siteground support last night, and got this feedback:

    The issue here is related to the Wordfence’s “Live Traffic View” feature, the requests it makes to itself, just use one of the server’s IP addresses.

    Since this feature “reviews” all requests before they reach the website, they all appear to be coming from the server IP address, while maintaining their user agent.

    So this seems to be a plugin issue?

    Thread Starter lukefive

    (@lukefive)

    Additional information …
    I found out much of this was the result of a server migration. Both of the sites where we suddenly have lockouts are on the migration list (new IP address).

    We advised our clients with WP admin rights to wait at least 48 hours for new DNS propagation.

    Again this is only our clients etc.

    My case is not a result of migration or propagation.

    When I recheck the logs, all traffic is still being logged with the hosting server IP. All is fine until someone breaks a rule – and then the site is shut down for all.

    At some point I ran across support documentation that said if one IP is being logged for all traffic, to check the settings for how Wordfence gets IPs. I am using the recommended “Let Wordfence use the most secure method to get visitor IP addresses.” Still…. when I log out and back in, Wordfence shows the activity coming from the server’s IP. I’m just hoping that plugin support monitors and responds to these threads regularly.

    As it turns out, this was a case of migration – I just didn’t know it. Siteground migrated the site to a new server. I’m sure they notified my client, but that’s easily overlooked, and we devs are typically the last to know…

    So the original dns settings were still in place. The old IP still forwarded users to the new one, but this made it look like all users were coming from the original IP. After updating A records, the issue was resolved.

    Thread Starter lukefive

    (@lukefive)

    @tendigit I wondered if SG might not be doing the same with multiple customers. Why I went ahead posted here, just in case.

    Clients get that kind of notification, think I don’t understand it so I’ll just trash the email. Life of dev.

    Rock on.

    Agreed. I’m glad you posted, because it gave me something to point to with server support. It did take a few tries and a bit of pushing to find the real issue.

    So thanks for sharing – and rocking on! ??

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Diagnosing unusual admin lockout’ is closed to new replies.