As you are probably aware, security is not an "on/off" type arrangement and you always need to make compromises. When the TurnKey Linux appliance was first developed (many years ago, prior to WordPress supporting 'live' upgrades) the file permissions were set to maximise security (at the cost of user-friendliness; but easily worked around via the commandline).

But as WordPress has evolved, the 'user friendliness' cost imposed by the choice of security settings has risen. In some respects it could be argued what started as a security plus has actually become a security minus. Whilst the risk of a compromised WordPress install hijacking the whole server is reduced; the chance of an out-of-date WordPress install getting hacked in the first place is increased...

The new (not yet released v14.0) version of our WordPress appliance reworks the permissions to allow easy in place upgrades. It does come with the 'price-tag' or reduced overall server security but users will find it easier to keep WordPress up to date so the risk of WordPress being compromised are less (so long as the user actually applies the updates!).

But to get to the point, there is an extensive post covering how one might go about "fixing" the security settings of the current appliance (including a lively debate about the pros and cons). Have a look here. This post specifically covers the steps to take to enable browser based upgrades.

I'm not sure why? But it doesn't have a default password. It should be the password you set it to at firstboot.

Having said that, we have had a few users complain that they are having problems with particularly complex passwords. Punctuation/special characters seem to be the most likely to cause issues. So perhaps try again with a more simple password (upper case, lower case and numbers)- although you can make it secure by making it long. Alternatively once you can log into WordPres, you could change it then, in the WordPress UI. Try setting the password again interactively like this:

/usr/lib/inithooks/bin/wordpress.py

Alternatively, you can run it non interactively. Use the '-h' switch to double check the values required:

/usr/lib/inithooks/bin/wordpress.py -h

The WordPress login problem is a known issue. A fix has already been applied to he build code, but an updated appliance has been yet to be built & released. I hope to release that ASAP.

In the meantime, you could apply the fix yourself. I.e. edit the file /usr/lib/inithooks/bin/wordpress.py. Make the changes noted there - edit the lines noted in red with a '-' prefix so they look like the lines in green that have a '+'. Then rerun the firstboot script:

/usr/lib/inithooks/bin/wordpress.py

Also FWIW using an IP as the "domain" should be fine, but note that you will need to update the domain if/when you use an actual domain. Re running that firstboot script will do that for you - although that will only work if you haven't manually changed the domain.

As to your Webmin issue, that is a new one. Although my first guess is that fail2ban is kicking in and blocking access. That should only be triggered after 3 failed logins, but If I'm correct, it sounds like it's triggering after only one. If that is the issue it should reset after 10 minutes.

To check that, try stopping the fail2ban service and restating Webmin via a terminal session:

systemctl stop fail2ban
systemctl restart webmin

If that doesn't help, first try checking that Webmin is running ok, again form a terminal:

systemctl status webmin

The line starting "Active:" should say "active (running)".

Regardless, try checking the journal for webmin logs. First recreate the issue (i.e. try to log in again), then again from a terminal, run this:

journalctl -u webmin --since "10 minutes ago"

Please share that, as well as any further info you may have.