Keep receiving erroneous lockout due to login attempts message

Hi @ronh99

WP security > Dashboard > Audit logs – Failed login type event filter or search with that IP will show all failed login attempt of that IPs.

Can you share the stacktrace ( audit log record have a link that opens popup and shows backtrace log of the files executed) for one such attempt using https://pastebin.com/ use burn after read option so can be read only once.

I will cross check which backdoor being used for such attempt mostly the XML RPC call of wp_getUsersBlogs is trying to authenticate the user is the issue. you should disable xml rpc access

WP Security > Firewall > PHP rules tab > Completely block access to XMLRPC , Disable pingback functionality from XMLRPC Please check both and Save.”

I posted one of the attempts. https://pastebin.com/ndysajN2. I’m new to pastebin so I hope I did it right. I’m getting a lot of these attempts. 14 since the 10th.

When I block XMLRPC, I get the below warning. I’m not using Jetpack but I use many other plugins and I’m using WP on a MAC. Is this going to break anything?

Attention: You have enabled the “Completely Block Access To XMLRPC” checkbox which means all XMLRPC functionality will be blocked.

By leaving this feature enabled you will prevent Jetpack or WordPress iOS or other apps which need XMLRPC from working correctly on your site.

If you still need XMLRPC then uncheck the “Completely Block Access To XMLRPC” checkbox and enable only the “Disable Pingback Functionality From XMLRPC” checkbox.

• This reply was modified 5 days, 17 hours ago by ronh99.

I also wanted to mention that I set up a blog page through Tumblr. I don’t know if that has anything to do with this issue but thought I’d mention it.

Hi @ronh99,

The stacktrace you sent of that invalid login attempt than wp-login.php file is being used to for login .

Are you the only admin of the website ? or do any other users uses this wp-login.php to logn.

You can enable the rename login page feature from WP security > Brute force > Rename login page tab – So generally who knows this URL can access the login page.

In extra if possible enable the captcha using WP security > Brute force > Captcha settings.

Regards

I am the only person who accesses the web site. Also, I don’t log into WordPress. I access it through my hosting platform. I’m not sure I can change the login URL without affecting that integration. Why do you think I should enable Captcha? Do you think a bot could be attempting the logins?

Here is some additional information. The username that is failing authentication is my author slug name. This would at least explain why the failed attempts are using that username. I’ve configured WP security to immediately lockout any attempts with that username. I’ve also enabled the login page slug and it seems to be working fine with my hosting providers SSO. I don’t think I can use Captcha as that might break the SSO. I’ll wait and see if this stops the failed login attempts. Thanks for your help. This is really encouraging me to use your premium service. Thanks!

Hi @ronh99,

If possible if you can change username directly from DB if possible.

WP security > User security > User accounts

It has option to disable user enumeration, Please enable it. It will stop exposing your admin username.

https://snipboard.io/WZGHOs.jpg

You should not lockout your own admin username to lock instantly. Please remove it, It may create problem,

You should cross check enabling the maths captcha if the hosting SSO works or not. If any issue. you may add the below constant in wp-config.php It will not verify captcha after that.

And should allow you to login and you may disable captcha then.

define( 'AIOS_DISABLE_LOGIN_LOCKOUT', true );

Regards