instantly lockout login attempts with username

  • Resolved Roger N

    (@roger-n)


    7 years, 11 months ago

    Hi!

    It seems as if the “instantly lockout login attempts with username” feature is not working correctly for me as I still get login attempts from users that do not exist but are listed in this section. Can I double-check that this feature works somehow? Does it write to the database ore the .htaccess file? Is it included in the debugging?

    Thank you!

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, can you share your settings under Login Lockdown?

    I just carried out a test and I was locked out when I tried to login using a username added in the following field Instantly Lockout Specific Usernames:.

    Thank you

    • This reply was modified 7 years, 11 months ago by mbrsolution.
    Thread Starter Roger N

    (@roger-n)

    Sure, and thanks!

    Allow Unlock Requests: disabled
    Max Login Attempts: 2
    Time Length of Lockout (min): 240
    Display Generic Error Message: enabled
    Instantly Lockout Invalid Usernames: enabled
    Instantly Lockout Specific Usernames: (list of user names, one for each line)
    Notify By Email: enabled. Email address added.

    With this, I still 3 or more login attempts from the same username, with different ips.

    I am using Cloudflare and a cache plugin though + a security plugin, which perhaps causes issues here.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, I think your Cloudflare and cache plugin could be causing this issue. What do you mean by + a security plugin? Are you also using another different security plugin apart from AIOWSP?

    Thread Starter Roger N

    (@roger-n)

    Maybe so. I am still getting more login attempts from non-existing user accounts than I should though.

    Currently the brute force attacks seem to have calmed down though, maybe due to using external security layers too. As for “security plugin”, my mistake. I have another issue with another plugin, Press Permit Pro, and confused the threads. My apologies.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, under Firewall do you have any of the following enabled?

    1. Completely Block Access To XMLRPC:
    2. Disable Pingback Functionality From XMLRPC:
    Thread Starter Roger N

    (@roger-n)

    Neither is enabled.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Can you enable one of those features. Please read the instructions before you enable do.

    Once you have enabled one of these features can you monitor your site. Report back after a few days or a week and let us know if you still receive the same number of login attempts.

    Thank you

    Thread Starter Roger N

    (@roger-n)

    Just an update on this. I still get many lockouts every hour, using the same user name, but different ips. This happens also on a another site which does not use any external caching. Furthermore, the cache plugin has been removed from both sites, but Cloudflare is still used on one of them.

    Where is this list stored, in the database or the htaccess file?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Sounds like some bots are targeting your xmlrpc file.

    Did you enable the following?
    Completely Block Access To XMLRPC
    Disable Pingback Functionality From XMLRPC

    The above features should stop those login attempts.

    Thread Starter Roger N

    (@roger-n)

    Both are enabled, no cache, and I still do not get automatic lockouts of unregistered user names. I’ve double checked and they are not registered, and not on the waiting for approval list either. Very strange.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘instantly lockout login attempts with username’ is closed to new replies.