IP Detection Error; Cookie Based Brute Force Lockout
-
Hi there — after years of flawless AIOS operation, recently the Cookie Based Brute Force Protection (CBBFP) and Advanced Setting > IP Detection have started returning errors. I don’t know if the two are related, but I think perhaps.
First problem is that beginning recently, whenever my dynamic IP changes CBBFP starts redirecting me to 127.0.0.1. This never used to happen. I can disable the CBBFP feature via wp-config and then login again without issue. Then one I am logged in again I can turn off CBBFP, save the settings, then turn it back on again and it starts working again as it should… Until (my best guess) my dynamic IP changes again and the exact same problem starts again. Which leads me to problem #2…
Problem #2 is the Settings > Advanced Settings > Detect IP. For reasons unknown to me the setting has started returning an error message when trying to detect my IP. Sometimes it does display the 3 detected IPs (Cloudflare, IPv4, IPv6), but now it often returns a red error message and no IPs. At the same time, in the dropdown menu, the REMOTE ADDR and CF_CONNECTING_ options (the only options not greyed out) do show the IP address.
I have tried disabling Cloudflare for the website to see if perhaps I was blocking something essential and it made no difference. I have also investigated any other plugins and/or settings changes that might be causing the problems and have found no conflicts.
At this point I am at a loss as to what may have started these errors. Could it be my ISP? IDK. But never before prior to this have I ever needed to disable CBBFP in my wp-config. Ever. And my IP was always detected without issue with any dynamic IP changes having no effect on CBBFP. This problem is something new to me. So I am turning to you for help…
Thanks in advance for your assistance. I really hope there is something simple behind this. Cheers.
-
I wasn’t asking if CBBFP or AIOS requires the visitor’s IP, I was asking if in completing its process CBBFP or AIOS visits or routes though any IP or AS# of any external services (including your own) or if it uses any external services? Or does the entire CBBFP process complete entirely within the host website’s domain server with no external calls or routing.
If you could just clarify that for me. Thx.
OK… next question: my website is https only. This is security best-practice is setup both at my website host and also in the Cloudflare settings. All non-https traffic is redirected as https. But I notice that the CBBFP cookie is marked “http only”. Could this be the issue?
If it is, can the CBBFP cookie be changed to https?
(Also, this issue should not be marked resolved… it is ongoing. My next step in trying to figure it out, if the https/http thing is not the solution, is to create an entirely new website installation on a subdomain on the same domain/server to see if the problem can be replicated there. Such a PITA!)
Very happy to say that it’s 3 days later and everything is still working!
I’m not sure if this tells you anything significant, but when I first turned SALT off I got locked out of the website entirely (redirected to 127.0.0.1) for a period of time. Turning off CBBFP in wp-config made no difference. I am not sure why this happened, or how I eventually started being able to login again, but it seems it was just a temporary thing. This also happened when I turned off SALT on my staging website (where somehow CBBFP had always been working even with SALT on).
Other than this one temporary thing following turning off the SALT feature, everything is now working as it should again.
I wonder why when I turned SALT off while troubleshooting things CBBFP didn’t start working again then? Odd.
All I know is I am so glad everything is working again! Thanks for sticking with this. Cheers.
- The topic ‘IP Detection Error; Cookie Based Brute Force Lockout’ is closed to new replies.
