Immediately Banning the Admin Username

Because – as you already know – no one should be using “admin” as a username.

ithemes-logoThis is supposedly a feature of iThemes Security already.  If you visit the settings page for “Local Brute Force Protection” and scroll down to the bottom of this page, there is a checkbox right there which states “Immediately ban a host that attempts to login using the admin username.”

However, enabling this option doesn’t have the desired effect.  This feature would be alright if it actually did what it said it did, but instead: it merely puts a lockout on the IP address that attempted to login as admin.  The IP is not banned until that same IP has been locked out enough times to exceed the set threshold for a ban.  So yes, if that same IP attempts to login as “admin” enough times, they will be banned… but they are not “immediately banned” as the option states.

These instructions will work with the free version of the WordPress iThemes Security Plugin only.  The file/directory structure of the Pro version is likely different.  Make these changes at your own risk!  Be certain to backup the original version of your plugin in advance.  It would also be wise to backup your site files and your database prior to making these changes.  Note: any updates made to the iThemes plugin will overwrite the changes you’ve made here, so you’ll have to make these (or similar) changes to future builds in order to preserve the new features.

First file: wp-content/plugins/better-wp-security/core/class-itsec-lockout.php

We must first give the existing lockout script the ability to ban on the first attempt.  Native functionality only bans after the number of lockouts has exceeded a set threshold.  Locate the function “lockout” in this file.  In the function declaration, add a variable $force_ban with a default of FALSE.  At or near line 523 the original declaration looks like this:

private function lockout( $type, $reason, $host = null, $user = null, $username = null ) {

Rewrite as:

private function lockout( $type, $reason, $host = null, $user = null, $username = null, $force_ban = FALSE ) {

At or around line 576, you should find an if statement which checks the current number of lockouts against the lockout threshold… if it is exceeded, the ban is placed.  We want this to also fire if an immediate ban has been demanded, so change this:

if ( $host_count >= ITSEC_Modules::get_setting( 'global', 'blacklist_count' ) && ITSEC_Files::can_write_to_files() ) {

To this:

if (($force_ban) || ( $host_count >= ITSEC_Modules::get_setting( 'global', 'blacklist_count' )) && ITSEC_Files::can_write_to_files() ) {

The above two changes has only just given this script the ability to ban the first time the lockout function is called… but as is, this never happens since no calls are ever made to the lockout function with $force_ban specified… so it is always FALSE.  Now, we’ll provide a condition under which $force_ban is TRUE.  Find the function do_lockout at or around line 130 in the same file:

public function do_lockout( $module, $user = null ) {

You don’t actually HAVE to do it this way, but it is my preference to modify this function declaration as well since I know of another place I’d like to use this feature again: add a $force_ban variable with a FALSE default.

public function do_lockout( $module, $user = null, $force_ban = FALSE ) {

Near the bottom of this function, you’ll find the call made to the lockout function (at or around line 247):

$this->lockout( $options['type'], $options['reason'], $lock_host, $lock_user, $lock_username );

We want to change this so that the admin username module triggers a ban instead of a lockout.  Change the above to:

if ($module == 'brute_force_admin_user') {
	$force_ban = TRUE;
}
$this->lockout( $options['type'], $options['reason'], $lock_host, $lock_user, $lock_username , $force_ban);

At this point, the setting works as advertised.  If anyone attempts to login as “admin”, they are immediately banned.  Next time, I’ll show you how to expand this functionality to include additional non-user usernames with this same affect.

PS: If I’m hosting your WordPress website, it already does this.

Leave a Reply