LLAR not logging lockouts, not following lockout settings

  • jwickham

    (@jwickham)


    1 month ago

    Hi,

    I’m having trouble with LLAR on my website. We’ve set the lockout settings as 5 allowed retries, 60 minutes lockout, 4 includes increases lockout time to 336 hours, and 336 hours until retries are reset.

    However, the plugin only applies these settings some of the time. Other times, a user will get locked out after just one attempt, and they’ll be locked out for 1000s of hours (usually between 7000 and 9999 hours). Worse yet, these lockouts don’t appear in LLAR’s logs, so the only way we can identify them is when a customer or user flags the issue for us. I then can add the user to our safelist as a temporary measure, and they can log in fine then.

    Any help you can provide is appreciated. Thank you!

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author WPChef

    (@wpchefgadget)

    Let us know if you have any caching plugin installed. Also, can you share information from the debug page of the plugin?

    Thread Starter jwickham

    (@jwickham)

    Sure thing. We don’t have a caching plugin installed, but we do use Edge Cache provided through our host, Pressable.

    The debug info is:
    HTTP_CF_CONNECTING_IP = IP0
    HTTP_X_FORWARDED_FOR = IP1
    REMOTE_ADDR = IP1

    LLAR Tech

    (@llartech)

    Your server is misconfigured. To fix that you need to follow these instructions: https://docs.limitloginattempts.com/plugin-settings/advanced-settings/trusted-ip-origins and enter “HTTP_CF_CONNECTING_IP” into the “Trusted IP Origins” field.

    Thread Starter jwickham

    (@jwickham)

    Thanks very much @llartech. I’m confused, though, because our Trusted IP Origins field says specifically not to enter “HTTP_CF_CONNECTING_IP”:

    Specify the origins you trust in order of priority, separated by commas. We strongly recommend that you do not use anything other than REMOTE_ADDR since other origins can be easily faked. Examples: HTTP_X_FORWARDED_FOR, HTTP_CF_CONNECTING_IP, HTTP_X_SUCURI_CLIENTIP

    Will it pose a security risk if I do add it to the field?

    To avoid security risks you need to ask your hosting provider to fix their Cloudflare IP detection. By adding that header you can fix the issue yourself but if an attacker knows that you use this IP origin, they will be able to spoof IP addresses and attack your site w/o limits. But only if they know. That’s why we don’t recommend doing this. Instead you need to fix the root of the problem with your hosting company.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.