Site Lockout Notification

  • Resolved fernie284

    (@fernie284)


    4 months, 3 weeks ago

    I?recently changed the password to my WordPress admin account and started getting the following emails, sometimes a few in a day-

    “User login lockout events had occurred due to too many failed login attempts or invalid username:

    Username: helpthinkpla-com
    IP address: 162.158.34.139
    IP range: 162.158.34.*
    Org: AS13335 Cloudflare, Inc.
    AS: AS13335 Cloudflare, Inc.

    Username: helpthinkpla-com
    IP address: 172.69.78.145
    IP range: 172.69.78.*
    Org: AS13335 Cloudflare, Inc.
    AS: AS13335 Cloudflare, Inc.

    Log into your site WordPress administration panel to see the duration of the lockout or to unlock the user.”

    I checked with Cloudfare support and they said it’s not a Cloudfare issue and nothing seems wrong in the Cloudfare account. There is no username with that email and everything else seems to be working fine. I am not facing any issues logging into WordPress as well. Since our old developer set it up, I am unable to figure out what the issue is. We are using the ‘All In One WP Security‘ plugin. Any help will be appreciated.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @fernie284

    WP Security > Dashboard > Autdi logs will have Failed login records Please cross check stacktrace for falied login so you know which page is being used to try loign.

    If it is wp-login.php you should rename the loign page WP Security > Brutefroce >Rename login page tab

    If it is xmlrpc.php

    XML RPC call of wp_getUsersBlogs is trying to authenticate the user is generally case event if cookie based brute forc on.

    WP Security > Firewall > PHP rules tab – Completely block access to XMLRPC , Disable pingback functionality from XMLRPC
    Please check both and Save.”

    if stop user enumeration not on It might be the reason your admin username exposed please enable Prevent users enumeration tab if not.

    WP Security > User security > User accounts – Prevent users enumeration tab check there

    Regards

    Thread Starter fernie284

    (@fernie284)

    Hi @hjogiupdraftplus,

    Below is the stacktrace. I have made the recommended changes to the xmlrpc.php and user enumeration. Let me know if there’s anything else I should do.

    array(14) { [0]=> array(6) { [“file”]=> string(56) “/home/thinkpla/public_html/wp-includes/class-wp-hook.php” [“line”]=> int(324) [“function”]=> string(12) “record_event” [“class”]=> string(33) “AIOWPSecurity_Audit_Event_Handler” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [1]=> array(6) { [“file”]=> string(56) “/home/thinkpla/public_html/wp-includes/class-wp-hook.php” [“line”]=> int(348) [“function”]=> string(13) “apply_filters” [“class”]=> string(7) “WP_Hook” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [2]=> array(6) { [“file”]=> string(49) “/home/thinkpla/public_html/wp-includes/plugin.php” [“line”]=> int(517) [“function”]=> string(9) “do_action” [“class”]=> string(7) “WP_Hook” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [3]=> array(4) { [“file”]=> string(118) “/home/thinkpla/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-audit-events.php” [“line”]=> int(639) [“function”]=> string(9) “do_action” [“args”]=> array(1) { [0]=> string(0) “” } }

    [4]=> array(6) { [“file”]=> string(116) “/home/thinkpla/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php” [“line”]=> int(681) [“function”]=> string(23) “event_successful_logout” [“class”]=> string(26) “AIOWPSecurity_Audit_Events” [“type”]=> string(2) “::” [“args”]=> array(1) { [0]=> string(0) “” }

    [5]=> array(6) { [“file”]=> string(116) “/home/thinkpla/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php” [“line”]=> int(551) [“function”]=> string(24) “wp_logout_action_handler” [“class”]=> string(24) “AIOWPSecurity_User_Login” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [6]=> array(6) { [“file”]=> string(56) “/home/thinkpla/public_html/wp-includes/class-wp-hook.php” [“line”]=> int(324) [“function”]=> string(34) “aiowps_force_logout_action_handler” [“class”]=> string(24) “AIOWPSecurity_User_Login” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [7]=> array(6) { [“file”]=> string(56) “/home/thinkpla/public_html/wp-includes/class-wp-hook.php” [“line”]=> int(348) [“function”]=> string(13) “apply_filters” [“class”]=> string(7) “WP_Hook” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [8]=> array(6) { [“file”]=> string(49) “/home/thinkpla/public_html/wp-includes/plugin.php” [“line”]=> int(517) [“function”]=> string(9) “do_action” [“class”]=> string(7) “WP_Hook” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [9]=> array(4) { [“file”]=> string(102) “/home/thinkpla/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/wp-security-core.php” [“line”]=> int(632) [“function”]=> string(9) “do_action” [“args”]=> array(1) { [0]=> string(0) “” } }

    [10]=> array(6) { [“file”]=> string(56) “/home/thinkpla/public_html/wp-includes/class-wp-hook.php” [“line”]=> int(324) [“function”]=> string(28) “do_action_force_logout_check” [“class”]=> string(15) “AIO_WP_Security” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [11]=> array(6) { [“file”]=> string(56) “/home/thinkpla/public_html/wp-includes/class-wp-hook.php” [“line”]=> int(348) [“function”]=> string(13) “apply_filters” [“class”]=> string(7) “WP_Hook” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [12]=> array(6) { [“file”]=> string(49) “/home/thinkpla/public_html/wp-includes/plugin.php” [“line”]=> int(517) [“function”]=> string(9) “do_action” [“class”]=> string(7) “WP_Hook” [“type”]=> string(2) “->” [“args”]=> array(1) { [0]=> string(0) “” } }

    [13]=> array(4) { [“file”]=> string(50) “/home/thinkpla/public_html/wp-admin/admin-ajax.php” [“line”]=> int(45) [“function”]=> string(9) “do_action” [“args”]=> array(1) { [0]=> string(0) “” } } }

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @fernie284

    The stack trace seems of force logout not Filed login. You can filter failed login from the dropdown “All events” and it will have stack trace Please cross check for the helpthinkpla-com falied login log stack trace.

    https://snipboard.io/sUYPr1.jpg

    As suggested in previous thread please “Rename login” page and Disable XML RPC. Ping back you will have less failed login attempts.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Tags