This copy/paste of the email says it all:
“A user with IP address 108.162.250.150 has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘admin’.
The duration of the lockout is 4 hours.
User IP: 108.162.250.150
User hostname: 108.162.250.150
User location: Sydney, New South Wales, Australia”
There IS no registered “admin” user, no-one but me has login credentials and the website is not even live yet; yet I’ve had 3 lock-outs from Cloudflare IP addresses in the past week since I first signed up.
Chain of events: (All dates are AEST)
- August 11th - I connect Cloudflare to my website.
- August 12th - I get my first email (as above) with the IP address of 108.162.249.51
- August 17th - (Today) I get the above email while typing the title of this topic, and another email from an hour ago (IP address 108.162.250.96) which is the one that prompted me to seek support.
For other websites I’ve gotten login attempts from overseas trying the username “admin” but this website is the first one I’ve connected to Cloudflare, it’s been 3 times in 5 days, and the website isn’t even live, yet.
There are other measures I’ll take to add extra security outside of Cloudflare, but that’s not the point; I should’ve have to shore up weaknesses created by Cloudflare in the first place.
