Login lockdown not working right

Hi, do you have the following option Enable Pingback Protection: enabled? This option is located under WP Security -> Firewall -> Basic Firewall Rules.

Yup,,I sure do

Do you have any other security plugin installed?

I do,,I am also using Securi..could it be a conflict between the 2? That’s how I’m able to see that login attempts from IPs that are suppose to be blocked are still going on. Securi is logging them as ‘failed logins’ or in brute force attack notices, depending on the frequency of attempts. But, after the IP is flagged by all in one wp, it doesn’t show as ‘failed login attempts’, just shows that the ip was blocked on the date in all in one wp, while still showing failed attempts in securi.

I do see the deny rules in .htaccess for the all in one wp, where it is denying access to directories, etc, but the IP’s that are getting flagged for lockout are not getting listed in there.

Hi, perhaps both security plugin might be conflicting with one another. Try to deactivate one of them and carry out another test.

I’ve seen the same sort of activity, where AIOWPS reports a locked out IP address with a single failed attempt (for using an invalid username) but Sucuri logs show five attempts from the same IP with same invalid username but different attempted passwords. Sucuri doesn’t have a setting to limit the number of failed logins, so that limit is applied by AIOWP. It looks like AIOWPS is correctly locking out IPs after 5 failed login attempts but not enforcing the immediate lockout for invalid usernames.

@stevegantz thank you for reporting your finding. One of the plugin developers will investigate further.

Regards

I just tested this together with the sucuri plugin and I can confirm that the AIOWPS login lockdown is working correctly. ie, it is locking out any login attempts made with invalid usernames on the first attempt.
The AIOWPS plugin uses the wordpress “authenticate” filter to check if the user has been locked out before allowing the login process to proceed any further. So in your case it is correctly not allowing those malicious login attempts to proceed further because they have been locked.

I think your confusion lies in the fact that the sucuri plugin is reporting the submission of the login form every time it occurs. I don’t know which hook or filter they are using but the fact that their plugin is showing login attempts doesn’t necessarily mean the AIOWPS is not blocking those attempts. It all depends on when during the login form submission process the sucuri plugin is listening for the login attempts.
My tests confirm that invalid username attempts are indeed being correctly blocked.

I’m setting this issue to resolved.

Thanks very much for testing the plugin combination and providing the technical explanation for what both plugins are reporting. I agree with the implication that Sucuri is essentially reporting false positives, in the sense that its brute force attempt alerts do not indicate an exploitable situation with WordPress.

Excellent, Sounds good to me, thanks for looking into it so thoroughly.