Count failures over what time period

Hi

Great questions!

Say you have a user named Bob who has a problem remembering his password. And you have the “Count failures..” option set to 30 minutes and both ‘Lock out…” options set for 5. The “Amount of time a user is locked out” is set for one hour. That means Bob can enter a wrong password or username no more than 5 times in a 30 minute time period (first bad attempt to last) or he will lock himself out from logging in for one hour.

Does that help?

Tim

Hi Tim

Thank yoy for your reply.

What happens when Bob enters wrong password or username 4 times in the 30 minute time period, and then enters wrong password or username after the 30 minute time period lapses, say in the 38th minute?

Also, I wanted to know if I rename my wp-login url with a secret word or slug, will the login security options stil work?

Ed

Ed

I hope you’ll indulge me because I got to thinking of a cartoon scenario and then realized it probably made more sense (at least it did to me)
So say at 1:00 bob enters catsrule (which is a horribly wrong password)
at 1:01 he enters catsrule1 still wrong
at 1:02 he enters catsrule3 wrong again
at 1:03 he enters dogssuck nope
So then Bob tries to think about it or find where he wrote it down and eventually he realizes that he jotted it down on a post it note and stuck it to the computer. Its password1 which he enters at 1:31. This is still wrong because he changed it.
The password attempt at 1:00 wouldn’t count anymore because its any 5 attempts in a 30 minute period and 1:00 would now be out of that period so the count should be at 4 now.
So the 30 minute clock doesn’t mean it resets at 1:00, 1:30, 2:00, 2:30 etc The attempts are counted and measured with a ‘has it been 30 minutes since the last 4 attempts mentality.

Did that help?

I’m not sure about renaming the login url. I’ve heard of people doing it and some with great success. It certainly helps with bots that look for common default urls to try and spam your login. I believe the security options will still work but let me look that up to be sure.

thanks!

tim

Hi Tim,

Okay, this simply means that the 30 minute period is dynamic with reference to the number of attempts.

So this suggests to me that it makes better security sense to reduce that 30 minute period considerably.

Kindly let me know if the security options will work with renaming the login url.

Thanks!
Ed

Absolutely! I think I have my lockouts set to 5 or 6 hours or so (not in front of the computer at this moment so i can’t verify). You can always unlock a user in the settings for WF

I’ll let you know about the other thing as soon as I find out.

Tim

Ed Talked to the dev team and according to them it should work fine. There are other sites using our plugin that do this with no issues.

Tim

Thanks Tim. I’ll give it a try.

Ed

Ed,

Let me know if you do find an issue that others haven’t identified yet so we can document it.

tim

Tim,

I will if there should be any.

Ed

Hi Tim
With the below mentioned settings I tried valid usernames and invalid usernames and likewise passwords 4 times. The result – I did not get locked out.

All those attempts showed in Live Traffic section under Login and Logouts.

Every option has been checked and utilized for Login Security Option and ofcourse with the login security feature enabled.

Lock out after how many login failures – 2
Lock out after how many forgot password attempts – 2
Count failures over what time period – 5mins

Regards
Ed

Ed

Can you make sure you haven’t added your up address to the whitelist on the options page?

Tim

Tim,

No, I haven’t added any IP address there. In fact I have never been to that option.

Ed

Ok. Let me try this on my installation and I’ll let you know what I find.

tim

Ed

Can you send me a link to your site and give me a time that you can watch? I’m EST and right now it’s 10:13am. I’d like to try and login to test to make sure its not something.

Thanks!

tim

Tim,

My site is being developed on a local system i.e. local host. So I don’t know how this is going to be possible.

Thanks
Ed