We get LOTS of emails from clients asking about site lockout notification emails they receive from the iThemes Security plugin we set up for them (formerly known as Better WP Security). The email goes something like this:
Dear Site Admin,
A host, 123.456.789.000, has been locked out of the WordPress site at http://yourdomain.com due to too many attempts to access a file that does not exist.
The host has been locked out until 2013-9-10 16:42:26 .
*This email was generated automatically by iThemes Security. To change your email preferences please visit the plugin settings.
In plain-speak, this email is telling you your iThemes Security plugin detected some suspicious activity by a person (or computer) visiting your website, AND it has blocked that specific IP from visiting your site, temporarily. This security measure is intended to lock out people or computers that are searching for weaknesses in your site that they can manipulate to inject malicious code or otherwise hijack your website and wreak havoc.
Sound scary? At first a site lockout notification can seem scary, but that’s what this wonderful plugin is for!
Here is what we do:
First, click the IP link. Clicking the IP link takes you to ip-address.com where you can get some basic information on the IP. This is the most obvious way to tell is some activity is suspicious. Most suspicious/malicious activity seems to be in far-off places like China, Ukraine, etc. Since we do not do business in those countries, we immediately put the IP in our black list (in the iThemes Security settings).
Next, do some recon. If the IP is not in a strange area (and sometimes even if it is), or if you do business in multiple countries you will want to do some deeper investigation. We use whatismyipaddress.com because it is updated with current information by other users. By reading others’ comments you may find some details that will help you determine whether the IP in question is really malicious or not. P.S. If you know of a better resource than whatismyipaddress.com, let us know in the comments below!)
Block or not-block. One you feel like you have enough information and decide the IP is malicious or at least suspicious, add the IP to the black list in the plugin settings. We take the IP down a notch or two because one malicious user can have several related IP’s. If the IP address was 123.456.789.000 we enter it as 123.456.*.* on the black list. No, this is not a foolproof solution either, but it saves you the trouble of getting pinged by the same hacker again and again.
You can turn site lockout notification off. If you get annoyed with too many site lockout notifications you can choose blissful ignorance. Just edit the proper settings.
No automated system is foolproof. This plugin may lockout legitimate traffic on your site — including you! This means
This plugin can lock out web crawlers like Google. You will want to white list web crawlers so they don’t get locked out. Web crawlers tend to hit a lot of non-existent files as they scan your site. Since this is somewhat similar behavior (very basically speaking) to spammers and hackers, the plugin can kick in, block the web crawler and send you a site lockout notification. Not good. Do very good research to make sure the IP is legitimately a web crawler, then add them to your white list.