We have analyzed these mails and found out, that mostly all of the user id’s, the hacker(s) have used, are either real user names of our account or nick names of these users. That means, the hacker(s) must have access to our account to get the current user id’s and nick names.

Our questions:
1. Does WordPress provide a log file containing the logins, which have been successful? We do need to know if any login from an unknown IP has been successful.

2. The last sentence of these mails (?Die IP wurde für 24 Stunden geblockt‘) means that the hacker’s IP has been locked for 24 hours. But: We have received several mails at the same day containing the same IP, example: 13.08.2018, 05:55 / 13.08.2018, 09:02 / 13.08.2018, 13:28. What does it mean: The IP has been locked for 24 hours?

3. What does ?2 Aussperrungen‘ (2 lockouts?) mean in this context?

Any help is highly appreciated.

Thanks in advance,
Lothar

2 and 3. WordPress itself doesn’t lock anyone out, so I assume that’s from one of your security plugins. It would be better to ask their support.