Locked out by logins from my IP address. Analytics views of unknown page

  • Resolved persist9

    (@persist9)


    5 years, 11 months ago

    I have 3 concerns that may be related:
    . Wordfence has been locking me out of my dashboard due to logins from my IP address
    . Google reports views of an unknown page
    . 504 gateway time-outs while editing my site.

    What do I do?
    Has my site been hacked?
    Has my computer been hacked?
    Are these issues related?

    **** First the lockouts:

    Wordfence has been seeing logins from my IP address that use invalid user-names, and protected my site by locking my site against my IP address – and emailing me. So, I have been locked out of my dashboard. On 9 Dec, I had 9 lock out emails by 7 pm.

    Here is one of the lockout emails, with identifying details replaced by xx.

    “This email was sent from your website “xx” by the Wordfence plugin at Wednesday 28th of November 2018 at 04:06:57 AM The Wordfence administrative URL for this site is: xx
    A user with IP addr 111.111.111.11 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
    The duration of the lockout is 5 minutes.
    User IP: 111.111.111.11
    User hostname: server-h-xx
    User location: Australia”

    When I log in, Wordfence sends me an email saying “A user with username xx who has administrator access signed in to your WordPress site. User IP: 111.111.111.11”
    So this IP address seems to be my address and is the locked out IP address.

    Some of these lockout emails are at times when my computer is off, e.g. 2 AM, so it seems that these login attempts are not coming from my computer.

    **** Second: Google analytics shows an unknown page with 4% of views

    Google analytics is showing many views for an unknown page = /h/2396442.html
    1 July – 3 Dec: 51 views = 4% of views
    This unknown page can be my most popular page.

    https://www.my-site/h/2396442.html
    This page is “not found”

    ******* 504 gateway time-outs

    I have been getting 504 gateway time-outs while editing my site. My edits freeze. Too often I cannot even view my site. This could be due to my hosting service dropping out.

    **** Partial solution

    I installed two-factor authentication yesterday. Since then I have had no lockout emails.

    **** What do I do now?

    Has my site been hacked? If so, I could get Wordfence to clean my site
    Has my computer been hacked? How would I tackle that?
    Are these issues related?
    Suggestions welcome.

    **** Software.
    . word-press 5.0
    . Wordfence 7.1.18
    . all plugins up to date
    . PHP 7.2.10
    . Windows 10 Pro 64 bit
    . ESET Security

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi @persist9 !

    I don’t believe your site is compromised. It appears the setting “How Wordfence gets IPs” may be incorrectly configured causing most IPs to be reported as your servers IP and ultimately leading to several lockouts and incorrectly detected IPs. In order to fix this issue you will need to change the setting “How Wordfence gets IPs.” First navigate to Wordfence>Tools>Diagnostics then scroll down to “IP detection.” From there you can determine what type of IP detection method correctly reports your IP, this is going to give you the best detection method to configure Wordfence with. From there you need to go to Wordfence>Global Options>How Wordfence gets IPs and choose the correct option to correlate with what was just found in the diagnostics (make sure to save changes). You can also ensure this is the correct option that needs to be chosen by checking to see if the “Detected IPs” at the bottom matches your current IP address. Once that has been re-configured Wordfence should be able to correctly detect IPs and you should no longer get locked out due to bad guys trying to break into your site, because every IP will be reported correctly.

    I hope that helps!

    Hi @persist9,

    Yes, it does seem like the setting for How Wordfence Obtains its IPs may be configured incorrectly.

    Can I have you try going into Wordfence -> All Options, and selecting different methods of how Wordfence obtains its IPs?

    Dave

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Locked out by logins from my IP address. Analytics views of unknown page’ is closed to new replies.