Lockouts, dozens of lockouts (with cookie based protection enabled)

Hi, go to WP Security -> Firewall -> Basic Firewall Rules, find and enable the following security option if it is not enabled.

Enable Pingback Protection:

It is enabled as I said earlier.

What happens when you go to directly to the “xmlrpc.php” file on your site?

ie: type the following (obviously use your own site domain name):
yourdomain.com/xmlrpc.php

what do you see?

It says this:
XML-RPC server accepts POST requests only.

Ok that explains your issue.
For some reason the .htaccess directives which are meant to stop access to the xml-rpc script (ie, “pingback protection” feature) are not working.

Can you firstly verify that your .htaccess file contains the following code:

#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END

Which version of Apache is your server running?

That’s what I found in .htaccess:

#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END

I don’t know where to find apache version in DirectAdmin

I don’t know where to find apache version in DirectAdmin

Ask your host support to help you identify the apache version and also while you’re at it you may as well quiz them about why that code listed above is being ignored.
It could be that you are on apache 2.4 and if so then we can try the following directives which should solve your problem.
Eg;

<Files xmlrpc.php>
Require all denied
</Files>

But first before you do anything ask the support guys.

I just asked my support, it’s version 2.2. Will try this code above when I’ll get home. Hope it’ll work.

Tried it, and it works! Zero lockouts so far. Thank you very much, problem solved, I think.

Ok good to hear.
I am a little puzzled why those new directives worked because they are specifically for Apache 2.4.