Assuming I can do the same trick as last time, I guess I can get back in, but I’m now receiving daily warning messages of nearly 400 attacks a day. For someone who has only 8 followers and not many views per day, this is worrying. (I’m also not impressed being locked out more than once a week). I banned the “a” word on login and have a strong password. I use iThemes security (free) and everything is backed up using BackupBuddy every single time a change is made. I keep the last three backups and those exist as three copies - one off site. (Can you tell I’m a photographer?)
Research says business sites are attacked on average 44 times a day. My guess is I used WP and CP as keywords a while ago when I changed over and I also use NextGen, which I heard had a vulnerability the other year.
This is spoiling my enjoyment though because it’s getting relentless…
My advice would be to think of the issue about being locked out as separate from the login attempts. Then put the latter on the back burner because you’re already protected against them. (It might be possible to optimize such protections later but, for now, they are essentially irrelevant.)
So the real issue is why you keep getting locked out. My guess is that the cause is iThemes. Try deactivating it and leaving it off. You might feel nervous, but I doubt it’s helping you at all.
If you really feel the need for a security plugin, then I’d suggest WPBruiser instead.
The problem may be that although I whitelisted our IP address, it changes when we lose our connection. We live in the middle of nowhere and that happens a lot. We have also been without any power at least three times in the last week. I suspect that the new IP address I added a few days ago has changed again.
I will look at the other plugin, but because I have never used admin to log in, being able to ban the word in iThemes seems really useful. If I look at the logs I can see that is why users/hosts have been locked out…
As you say, whitelisting your IP address is not going to help. But the more important point is that it shouldn’t be necessary. (WPBruiser offers the same facility but you shouldn’t ever need it.)
The question remains why is it even trying to lock you out. If, as I suspect, the culprit is iThemes, then it’s worse than useless.
As for having a record of what username was tried, a true logging plugin is what you need. This keeps a record of pretty much everything that happens on your site, which is essential for effective trouble-shooting. In my view, the best plugin for this is Simple History.
While 2FA isn’t necessarily a bad idea (which you have provided by another plugin), think about this - both cPanel and FTP/SFTP access give way more control to your hosting account than a Wordpress admin account does. While you can set up 2FA in cPanel, you can’t for SFTP. That means the weakest link in security is still a direct password/username access to your account and one that uses the same username/password combination as for cPanel access, so 2FA doesn’t really achieve much (in cPanel). It means you do need at minimum a strong cPanel password - use a password manager like Keepass would be my advice, and always access the secure version (https://cpanel.example.com).
You should also set up your blog over https://. Cpanel is already automatically supplying your certificates, and your theme is up to date, so all you need to do is this. In the ClassicPress dashboard go to Settings > General and change the ClassicPress Address and Site Address both from http://… to https://. Then add a redirect to the .htaccess file. Before adding the .htaccess redirect check the site is functioning fine over https://. Open up your FTP client, download the .htaccess from public_html, make a safety back-up copy and then open it up in Notepad or any other text editor. At the top insert these two lines directly under the line that reads RewriteEngine on:
Save the file and upload it to the server, and check that everything is fine. If you want to be super cautious you can check using a 302 redirect first and then change it to a 301:
Yes you can use a plugin to do all that for you, but I don’t suggest it. It’s not hard to do, and it’s no “safer” to let a plugin go about editing your server configuration files.
Anyway back to the point, once you have https-only set up, my question is do you need 2FA? The answer to that is - if your blog has other users, other than you, then it’s not a bad option at all. But if you’re the only user then you can make it perfectly secure without 2FA, although changing the password would definitely be advised.
Many thanks to everyone for the time taken to help. I sat down with my husband this afternoon (he is somewhat into computer security at his work), so we were able to make a few changes
