Recently, I came across very interesting server response on my WordPress website. Where, after deploying the website on the server, I started getting a “418 I’m a Teapot” error status response to request for few of the pages and in turn all my further requests were denied for any page on the website for some duration.
After reading a few articles and blogs on the same problem, I realized that these errors were originated from the Better WP Security plugin that I recently installed on my website. At the same time I was doubtful about, how a plugin that improve security for your website can break your site completely. So I went through a few more readings available on plugin functioning.
In actual, these errors are result of security precautions that Better WP Security plugin takes under their Intrusion detection and Bad login prevention mechanism, due to which plugin performs a lockout to restrict user by their Username or IP and hence denies all further request from that user or IP for lockout duration. Here is brief about how these assumption can conflict with your system and what can be to done to prevent it.
Intrusion detection:
User who hits a lot of 404 error is short period of time is scanning of something and should be restricted.
Note: Even though a page on the server, access a resource which is Not present on it, Better WP Security plugin will detect as Intrusion, as the request was generated by the end user's browser. (Here I am not very sure if it's correct implementation behind the thought of preventing 404 attacks)
Although it’s recommended that you keep “404 Detection” option enabled in your plugin settings with all other configuration parameters including email address to notify you about lockouts to appropriate values But still you can choose to disable it from your WordPress Dashboard at DashBoard → Security → Detect ( Shown Below)
Limiting bad logins:
Users who failed to login for more than prespecified threshold values should be blocked.
Here again you may wish to, choose to disable it at DashBoard → Security → Login but recommended approach is to keep it enabled with all parameters configured properly.
In case Better WP Security plugin detects any of above two cases it lockouts the corresponding IP or Username. For this, it also stores the information into following two WordPress tables.
wp_bwps_logs : Contain logs for all security related events and can help you in debugging In case of error.
wp_bwps_lockout : This is another very useful table created by plugin, that keeps all lockout events with related information e.g. Username or IP of lockout user, Reason for lockout, lockout start and end timestamp etc. This table can be used to release the lockout for a user by deleting the corresponding entry for Username/IP.
Final Note: Better WP Security is a great plugin and helps you avoid many security risks but its always better to have a basic level of understanding of plugin functioning and configure all parameters appropriately as per your requirement before you start using it. So that you don’t face unexpected errors with your live website, which might take some time to figure out the problem.