Hundreds and hundreds of “Whitelisted Host Triggered Host Lockout” notices

  • Within the last 3 weeks we’ve suddenly started seeing hundreds and hundreds of “Whitelisted Host Triggered Host Lockout” notices on a client’s website.

    Unlike this guy, we already have XML-RPC disabled.

    What could be causing this? We’ve made no changes recently that we can connect to this.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Navigate to the iTSec plugin Logs page and then click on the View Details link of a Lockout Notice entry (with Description = Whitelisted Host Triggered Host Lockout).
    Then click on the Show Raw Details link.

    Take note of the reason in the module_details array of the data array.

    Repeat this for multiple Lockout Notice entries (with Description = Whitelisted Host Triggered Host Lockout).

    So what’s the reason ?

    To prevent any confusion, I’m not iThemes.

    • This reply was modified 4 years, 10 months ago by nlpro.
    Thread Starter skunkworks

    (@skunkworks)

    “too many attempts to access a file that does not exist”

    404s

    The thing is that there’s are TONS happening from TONS and they appear to be from the website’s own IP address. 9,656 currently in the logs.

    Are you making use of any caching mechanism (like a caching plugin)?

    Have a look at a bunch of 404 URLs in the iTSec plugin Logs page to determin whether they make any sense or not. If not it’s very well possible the site is under attack (searching for known vulnerable php files).

    Also make sure the site is using the latest iTSec plugin release (7.7.1).

    Last but not least, is this site behind any proxy (like CloudFlare) ?

    Thread Starter skunkworks

    (@skunkworks)

    Are you making use of any caching mechanism (like a caching plugin)?

    Yes. WP Super Cache. We’ve been using this plugin for years on dozens of client sites and not seen this issue before.

    Have a look at a bunch of 404 URLs in the iTSec plugin Logs page to determin whether they make any sense or not. If not it’s very well possible the site is under attack (searching for known vulnerable php files).

    There are many 404s that are clearly bots but they are originating from their own IPs and we’ve disregarded them in this matter. But the 404’s from the site’s own IP is for content that makes sense but is no longer present on the site.

    Also make sure the site is using the latest iTSec plugin release (7.7.1).

    Yup.

    Last but not least, is this site behind any proxy (like CloudFlare) ?

    Yes. Cloudflare in use. WP Super Cache and Cloudflare is our go to for all our client’s sites for years and this issue is recent.

    But the 404’s from the site’s own IP is for content that makes sense but is no longer present on the site.

    When the 404 Detection and Local Brute Force Protection modules are enabled it’s perfectly normal to see many “Whitelisted Host Triggered Host Lockout“ notices due to the site generating many 404’s. As the server IP address is automatically whitelisted by the iTSec plugin, the host lockouts are reported but not executed (which is a good thing). So the iTSec plugin seems to be working properly.

    Figure out how to get rid of the (non malicious) 404’s and you should be good to go. May have something to do with WP Super Cache or CloudFlare (or even both).

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hundreds and hundreds of “Whitelisted Host Triggered Host Lockout” notices’ is closed to new replies.