How to use Wordfence to protect your website: What to do with those ‘User Locked Out From Signing In’ Wordfence Notices...

What to do with those ‘User Locked Out From Signing In’ Wordfence Notices

One of the WordPress security plugins I often install on my clients’ sites is Wordfence. There is a free version of the plugin, and a premium one. Presently, my clients’ sites just use the freebie, primarily for the purpose of blocking multiple login attempts by “people” (or computers, hackers, bots, whatever you want to call them) who are trying to guess your login and passwords.

Here’s a quick (one minute to be precise) video of what Wordfence is all about.

 

Once Wordfence is installed, you can almost set it and forget it. (And by set it, I mean, to work through the Options page, and make sure that you add your email address to receive notifications).

But it’s those pesky notifications that are the reason why you can’t actually forget it!

Pesky Wordfence Notification No. 1: [Wordfence Alert] … User locked out from signing in

Most of these notices will say:

A user with IP address eg.bb.ccc.dddd has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 5. The last username they tried to sign in with was: ‘administrator’

The most common usernames I see are admin, administrator, the name of your business, and webmaster. I typically set up the Wordfence security plugin to automatically block anyone that tries to login with these names. Some clever hackers try other names!

On that note… If you your Username is Admin, or one of these names, see below on how to delete your admin account. Now!

If these hackers have more than 5 failed login attempts with a username or password, they will be locked out for 60 days (which is how I set up my client’s sites under Wordfence Options, in the ‘Login Security Options’ section).

The site’s admins can unblock someone if they shouldn’t be blocked, like if my client forgets their password! (Be mindful of how many times you attempt to login if you can’t remember it. If you stuff up your login twice, go check what the password actually is before your try again)!

Generally, I ignore most of these notices. The user/hacker/evil-web-ninja has already been blocked from your site.

So, when you take notice of these pesky notices?

Situation 1: Some days you will wake up to 5, 10, 50 or perhaps even 500 of these messages. Urgh. Open up a few of them and check out what usernames were tried. If you see the same name used over and over, like Admin, you can:

  • Login to your WordPress website
  • In the Left panel, look for ‘Wordfence’ and open up the ‘Options’ in the Wordfence Menu
  • Scroll down to: ‘Login Security Options’
  • Look for ‘Immediately block the IP of users who try to sign in as these usernames’ and add the usernames you saw to the list, separated by a comma. For example: admin, administrator, webmaster

Situation 2: If you see anyone else trying to login with YOUR USERNAME or any of the users who actually should have access to your site, definitely take notice. You need to go in and  block the IP address permanently of that evil ninja hacker permanently (rather than just the default 60 days).

  • Login to your WordPress website
  • Go to Wordfence and then click on the ‘Blocked IPs’ menu item
  • Click on the second tab,  ‘IPs that are Locked Out for Login’
  • Copy + Paste any IPs in the list of IPs that are locked out, and paste it into the field ‘Manually block IPs’ so they are permanently blocked

Pesky Wordfence Notice No.2: [Wordfence Alert]… Admin Login

Every time someone successfully logs into your site, you (that is the email address set up to receive notifications from Wordfence), you will receive a notice. So, if you log in to your site to write a blog post, or make an edit, you should receive a notice. If your VA, or a guest blogger logs in, you should receive a notice. You will know if it was you that logged in, obviously. You should know, rougly, if and when these other people are logging.

But if you are unsure, check with said user. “Did you login to my site today?

If you get a “No” then it’s time to act.

  • Login to your WordPress website
  • Go to Wordfence and then click on the ‘Blocked IPs’ menu item
  • In the email you received, look for the IP address of the user who logged in
  • Copy + Paste that IP address, and paste it into the field ‘Manually block IPs’ and click the button

That’s not all…

I also recommend you delete that user account all-together!

First up, you want to create a NEW user, to replace the one you are deleting. If that user is your main user account, that’s ok. We still need to do this!

  • Login to your WordPress website
  • Click on ‘Users’ in the left panel
  • Click ‘Add New’ and then work through all the fields. Make sure you have a weird, and wacky username and password. In fact, try using http://passwordsgenerator.net/ to create very secure random passwords. Don’t forget to keep a record of this new username and password!
  • If this is your main account and you want to use the email that is tied to your main Admin account, you can, but first you will have to add another email address until we delete the old account. You can update your email, first and last name, and passwords, just not the Username.
  • UN-check the field ‘Send this new password to the user by email.’
  • Click ‘Add New User’

Now, log-out of WordPress and Login with your new username and password

  • Click on ‘Users’ in the left panel
  • Hover over the old user account that you want to delete, and you will see a little red ‘delete’ show up underneath. Click it!
  • On the next screen you will see ‘What should be done with posts owned by this user?’ Check the box ‘Attribute all posts to:’
  • And choose your new username for this user from the drop-down menu
  • Click ‘Confirm Deletion’

Now, if this was your main Admin account, let’s update the email

  • Click on ‘Users’ in the left panel
  • Open up your new user account
  • Update your email and save!

So, that’s it!

A quick re-cap:

  • You can ignore most ‘User locked out’ emails if they are admin, administrator etc.
  • You can permanently block these frequently used usernames
  • You can permanently block any IPs, especially if they try to login with one of your actual usernames
  • If they DO use one of your usernames, create a new user account for this person, and delete the old one

One quick note…

If you want these Wordfence emails to go to another user in your company, such as a PA or VA, in Wordfence, go to Options, and near the top you will see a field for where you want the email notices to go. Update this and save!

Let me know if you have any further questions, or better yet, check-out the Wordfence support.

 

Facebook Twitter Pinterest Plusone Email
{ 0 comments… add one }