A Guide to iThemes Security Pro Lockouts

Feb 7, 2020 | Security - Internet, WordPress, and otherwise

iThemes Security Pro lockouts are a way to harden your website against external attacks, including WordPress brute force attacks. In this guide, we’ll cover iThemes Security Pro lockouts and how to use them.

Keep reading for tips to avoid the dreaded lockout screen (in case you or your client has accidentally locked yourself out of your website) and how to release the lockout if it’s triggered. (Locked out? Get the release lockout solution now!)

What Types of iThemes Security Pro Lockouts Are There?

There are multiple ways a lockout can be triggered using the iThemes Security Pro plugin.

The 4 types of iThemes Security Pro lockouts:

1. Host Lockout

A Host Lockout is when someone using the same IP address makes repeated incorrect login attempts.

Set the number of attempts before an IP address is blocked in Security > Settings > Local Brute Force Protection. In the image below, you can see the Max Login Attempts Per Host are set to 5.

a-guide-to-ithemes-security-pro-lockouts A Guide to iThemes Security Pro Lockouts

In Security > Settings > Global Settings, you can determine what the locked out host will see as a reason for the lockout. The default is set to display a bolded error message.

a-guide-to-ithemes-security-pro-lockouts-1 A Guide to iThemes Security Pro LockoutsYou can use HTML in your message. Allowed tags include: a, br, em, strong, h1, h2, h3, h4, h5, h6, div.

2. User Lockout

A User Lockout is when a username belonging to an existing user is used for multiple incorrect login attempts.

You can set the number of attempts before a user is blocked in Security > Settings > Local Brute Force Protection. In the image below, you’ll see the Max Login Attempts Per User are set to 2.

a-guide-to-ithemes-security-pro-lockouts-2 A Guide to iThemes Security Pro Lockouts

In Security > Settings > Global Settings, set what the locked out user will see as a reason for the lockout. The default displays “You have been locked out due to too many invalid login attempts”.

a-guide-to-ithemes-security-pro-lockouts-1 A Guide to iThemes Security Pro LockoutsYou can use HTML in your message. Allowed tags are the same as Max Login Attempts Per User.

3. Username Lockout

A Username Lockout is when a username that does not exist is used for multiple incorrect login attempts.

You won’t need to set up anything special for this, as the settings and message are the same as your User Lockout settings.

4. Community Lockout

A Community Lockout uses the Network Brute Force Protection in Security > Settings > Network Brute Force Protection to ban users who have tried to break into other sites and prevent them from breaking into yours.

The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack.

When you’ve enabled this option, you can set the details for the Community Lockout Message in Security > Settings > Global Settings. Unless you change it, the message will read, “Your IP address has been flagged as a threat by the iThemes Security network.

a-guide-to-ithemes-security-pro-lockouts-3 A Guide to iThemes Security Pro Lockouts

Note: There is one more special Username Lockout available – if you have removed the admin username in WordPress, you can automatically ban anyone who tries to use it. Check the box in Security > Settings > Local Brute Force Protection, and the User Settings will automatically apply to it, as well.

a-guide-to-ithemes-security-pro-lockouts-4 A Guide to iThemes Security Pro Lockouts

What Happens When a Lockout is Triggered?

When someone (or some bot) triggers a lockout, they run into your lockout settings.

The first place to configure those is in Security > Settings > Global Settings.

You’ll want to make selections for the following:

  • Blacklist Repeat Offender – Do you want to permanently ban them from the site if they keep trying to get in?
  • Blacklist Threshold – How many times do you want to lock them out before they are banned?
  • Blacklist Lookback Period – How many days do you want to remember a lockout, to count it toward the ban rule?
  • Lockout Period – How long should the lockout last? We recommend leaving it at the default 15 minutes.

a-guide-to-ithemes-security-pro-lockouts-5 A Guide to iThemes Security Pro Lockouts

Next, you’ll want to go back over to Security > Settings > Brute Force Lockouts.
Make sure Minutes to Remember Bad Login (check period) is set for at least 5 minutes.
a-guide-to-ithemes-security-pro-lockouts-6 A Guide to iThemes Security Pro Lockouts

How to Release iThemes Security Pro Lockouts

You’ve been locked out – now what? If you’re seeing this screen, you’ve been locked out by the iThemes Security plugin.

a-guide-to-ithemes-security-pro-lockouts-7 A Guide to iThemes Security Pro Lockouts

Obviously, you want people to see the screen above if they are trying to break in. But what happens if you – or your client – gets locked out?

Enable Magic Links

The easiest way around that is to go to Security > Settings > Magic Links and enable those. If you’re locked out, all you have to do is enter your email address, and you’ll receive an email with a login link that automatically releases/bypasses the lockout.

Release Lockouts from the Site Admin

Sometimes, though, a site user will be locked out, and they have not updated an email address or have otherwise lost access to the email address associated with their account.

In that case, you can log in to your site, go to Security > Settings, and release their lockout from the Active Lockouts box on the far right

Release Lockouts from the Security Dashboard

If your Dashboard is enabled, you can release Active Lockouts from Security > Dashboard > Active Lockouts. Click on the lockout you wish to release, then click the blue “Release Lockout” button.

a-guide-to-ithemes-security-pro-lockouts-8 A Guide to iThemes Security Pro Lockouts

Release Lockouts from iThemes Sync

If you use iThemes Sync, you can also release lockouts by logging into sync.ithemes.com and clicking on Domain Name > Security > Lockouts.

a-guide-to-ithemes-security-pro-lockouts-9 A Guide to iThemes Security Pro Lockouts

iThemes Security Lockouts: That’s a Wrap!

As always, if you need assistance with iThemes Security lockouts, or anything related to iThemes Security Pro, please drop us a line in the Helpdesk! Our support staff is with you Monday-Friday, 8-5 Central Time, excluding Major U.S. Holidays.

Get the iThemes Security Pro Plugin Today

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

Source

eHost managed wordpress hosting



We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.