S2Member locks out admin IP address and treat is as a Brute Force attacker

#1

Hello guys,
Im facing really crazy issue. s2member is locking out admin because it recognize it as a bruce force attacker. I checked logs in database and it seems like admin is trying to login every second which is very unusual.
When I try to login it gives me error Max 30 logins reached, try again later.
When I disable s2member plugin in cPanel by adding -off suffix to plugin folder, I can login normally.

I need to disable Brute Force protection and IP lockout protection in Restriction and then login works normally. If Brute Force is enabled then it locks me out.
Problem is that it treat admin user as attacker.

I really dont know what can cause this issue and unusual behaviour. I dont run any other security plugins on the website and also I tested server configuration like suggested in your help section and it gives me all green checkmarks, stating that server configuration is ok.

Anyone else who faced similar issues?

PS. It might also be interesting that email sending is not working right now on the website and Im trying to debug this so maybe it can be connected?

Any suggestions please? Thanks!

I recently updated to latest Wordpress version, but it was working without problem until several days ago.

#2

Maybe someone really is trying to brute-force the admin account… Check your server logs and see if you need to take extra measures to protect your site.

You could probably create a second adimn account, with a non-descriptive name, and not known to others, and use it to login as admin when the other one is locking you out.

PS. It might also be interesting that email sending is not working right now on the website and Im trying to debug this so maybe it can be connected?

Not sure how it’d be connected. This article may help you troubleshoot, though: https://s2member.com/kb-article/troubleshooting-email-delivery-problems/

Let me know how it goes! :slight_smile:

#3

Hi Christian, yes, you are right. I checked logs and we have 4 login attempts per minute which are using usernames like: admin, test, domainname etc.
So this is brute attack as I could see. Problem is that it uses localhost IP address, so it looks like our own server is sending login requests. We are now working with support of the hosting company and will try to resolve the situation.

s2Member was doing a good job apparently :slight_smile:

Thanks for the answer and I will update the topic once we resolve everything.

Best regards,

1 Like
#4

Great! I’m very glad s2Member protected your site. :smiley:

Let us know how it goes.