IP blocking from login failures – how is a user/ visitor defined?

  • Resolved simonzing

    (@simonzing)


    4 years, 1 month ago

    Hi,

    A quick question to clarify.

    The Brute Force Protection feature has the “Lock out after how many login failures” setting, but it doesn’t seem clear whether a “visitor” is defined as either:

    – X number of failed attempts by a user on one device, or
    – X number of failed attempts by all visiting devices behind one public IP address (e.g. a campus).

    I’m guessing the firewall logic is server side, so would be based on IP address, but I wanted to double check.

    The use case I’m interested in is where a large number of visitors logging in might be from a school/college campus, so if the tally is by IP address, to compensate for more visitors, perhaps the allowance should be higher/ time period for failed attempts shorter.

    Thanks!
    Simon

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @simonzing thanks for your query.

    Visitors in the context of that setting is indeed decided by IP only. Therefore, if the campus visitors will have the same external IP, you don’t want to block too strictly but still protect from malicious attempts.

    I recommend reducing the Wordfence > All Options > Brute Force Protection > Count failures over what time period to 5 minutes (20 is our usual recommendation) so that legitimate periodic failures from the campus don’t result in a lock-out but a concentrated ‘attack’ type volume of failures in a short time will be protected against.

    Thanks,

    Peter.

    Thread Starter simonzing

    (@simonzing)

    Brilliant. Thanks @wfpeter – that’s really helpful!

    Simon

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘IP blocking from login failures – how is a user/ visitor defined?’ is closed to new replies.