Plugin Author
AITpro
(@aitpro)
If the lockouts are legitimate clients then you can increase the number of failed login attempts to 10 attempts. If you do not want to use Login Security you can turn it off. If the lockouts are occurring because hackers are mining publicly displayed/exposed user accounts on the website and attempting to login with those publicly known/exposed user accounts then you can do the things in this link to add additional protection against hackers locking user accounts repeatedly: https://ww.wp.xz.cn/support/topic/error-this-user-account-has-been-locked?replies=6#post-6882638
Plugin Author
AITpro
(@aitpro)
Did this answer all of your questions? If so, please resolve this thread. If not, please post any additional questions you may have. Thanks.
Thread Start Date: 1-15-2016
Current Date: 1-16-2016
Hi there.
We had 178 emails in our inbox over the weekend for Lock Out notices on our 20 websites. It seems since we either updated WordPress or the BPS all sites are just getting locked out. 178 emails is just too much.
I already increased the number of attempts on one website to 10 and it didn’t help.
We have all the sites with the same host.
We didn’t start getting so many lock out until about 2 months ago. And we have had BPS installed on some sites for maybe 8 months.
Is there a video tutorial somewhere that explains the set up and settings better. maybe there is some info we are missing. we used the Setup Wizard on half the sites.
Plugin Author
AITpro
(@aitpro)
So are the lockouts caused by hackers and spammers attempting to login or are they caused by legitimate client failed login attempts? Your BPS Security Log and Login Security logged logins will tell you that information.
Here is some of the email. It appears to be from hackers. Most of the emails over the weekend all said the User Hostname was something ending in …..1.amazonaws.com
We just got a few more emails this morning. so 180 now. thats crazy.
A User Account Has Been Locked
To take further action go to the Login Security page. If no action is taken then the User will be able to try and login again after the Lockout Time has expired. If you do not want to receive further email alerts change or turn off Login Security Email Alerts.
What to do if your User Account is locked and you are unable to login to your website: Use FTP or your web host control panel file manager and rename the /bulletproof-security plugin folder name to /_bulletproof-security. Log into your website. Rename the /_bulletproof-security plugin folder name back to /bulletproof-security. Go to the BPS Login Security page and unlock your User Account.
What to do if your User Account is being locked repeatedly: Additional things that you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.: http://forum.ait-pro.com/forums/topic/user-account-locked/#post-12634
Status: Locked
Role: administrator
Request URI: /wp-login.php
do you want to email with us privately or can you call us? we are in canada. we would appreciate the help. we make small business websites for several local businesses and just want people to be secure. but we can’t use a plugin that sends so many emails over the weekend. do you think there is an issue with our server or host?
Plugin Author
AITpro
(@aitpro)
Ok so here is what is happening: hackers and spammers are finding publicly displayed user account names on your website and using those publicly displayed user account names to attempt to brute force login to this site or you are using common known Administrator user account names like: admin, administrator, etc and the hackers and spammers are attempting to brute force login with these known commonly used Administrator user account names.
99.99% of all hacking and spamming is automated with Bots. So you just need to add additional security measures that stop/block those automated Bots. There are several things you can do in the link I posted above that stop/block bots. Another thing you can do is install another plugin that uses a CAPTCHA. CAPTCHA’s are very effective at stopping/blocking Bots. BPS Pro comes with JTC Anti-Spam|Anti-Hacker, which is a CAPTCHA and additional things that stop/block all Bots. I am not trying to sell BPS Pro to you and just letting you know what works/is effective at stopping/blocking Bots. So if you want to go the free route then look around for another plugin in the WP plugin repository that uses a CAPTCHA method to stop/block Bots. I cannot recommend another CAPTCHA plugin since that is a conflict of interest with BPS Pro. 😉
hmmmm, so some of our websites have contact forms and captcha.
we don’t use a user name on the blog posts.
i know some websites have the email on the website, but most don’t.
and our user names aren’t admin or anything. i am just not sure how they are finding the user name accounts displayed because we really try to make the user name different.
i thought just having BPS installed would stop the Bots.
Plugin Author
AITpro
(@aitpro)
Yes, BPS is stopping the hackerbots and spambots from logging into your site and hacking or spamming it, but you have another nuisance problem of accounts being locked out because those hackerbots and spambots are attempting to loing to your site with known user account names and those hacking attempts are being stopped by BPS on your site.
You can add additional BPS Bonus Custom Code to solve the nuisance problem of user accounts being locked out by using some of the things in the link I posted above or install a captcha plugin that protects the login page. A contact form captcha is a good thing to have, but that does not have anything to do with your login page.
thank you. do u have a video of the correct way to install BPS cuz maybe i missed something. i appreciate all your help.
i just don’t get how they would be getting our usernames.
Plugin Author
AITpro
(@aitpro)
It has nothing to do with how BPS is setup. BPS is working correctly to stop these hackers and spammers from logging into your site and hacking it or spamming it. So you just need to solve the nuisance problem of user accounts being locked out. The link I posted above has several different additional things you can add to solve that nuisance problem or you can install an additional captcha plugin to solve that nuisance problem of user accounts being locked out repeatedly.
so this link: https://ww.wp.xz.cn/support/topic/error-this-user-account-has-been-locked?replies=6#post-6882638
thank you.
its just so many websites all at once being hacked. like 15 sites all have all on the same host. we have never had this happen so much.
