Potential reason for multiple entries in Login Attempts screen

  • Resolved islp

    (@islp)


    3 weeks, 1 day ago

    Sometimes I find multiple logins from the same user in the Login Attempts screen list (Firewall menu). They are stacked one after the other, eg:

    Frankie 109.xxx.178.xxx 20 hours 58 minutes ago
    Frankie 109.xxx.178.xxx 20 hours 58 minutes ago
    Frankie 109.xxx.178.xxx 20 hours 58 minutes ago

    They look like multiple attempts to login, BUT this is in the Successful tab: so why should a person try to login if he’s logged in? (look at the time too: it’s always about the same time)

    What could be the cause? This happens in Tools > Live traffic too.

    Thanks

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @islp, thanks for your message.

    As we’re not sure about the domain or other installed plugins, it’d be best to send a site diagnostic so we can get that information privately. I believe we’ve seen similar behavior before where another plugin was involved, as I can’t replicate it with or without our Login Security features enabled either.

    Visit the?Wordfence > Tools > Diagnostics?page to send the output to us at?wftest @ wordfence . com. Click on?“Send Report by Email”. Please add your forum username where indicated and?respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks,
    Peter.

    Thread Starter islp

    (@islp)

    @wfpeter “Diagnostic report has been sent successfully” ??

    Plugin Support wfpeter

    (@wfpeter)

    Hi @islp, thanks for sending that over.

    As Wordfence is designed for the default login flow, I believe that any redirects, attempts to log/add to that in any way and/or a custom login form could cause multiple entries as you’re seeing. There are a couple of plugins there that could maybe be contributing to this, so you could try running Wordfence on its own, and if the multiple entries stop, enable others one-by-one. I don’t think there is an issue as long as you’re not running into any conflicts with that login flow.

    Specifically, if add_action('wp_login','wordfence::loginAction'); is firing more than once in lib/wordfenceClass.php that sets a listener to run after login. The listener that runs is the loginAction function.

    Thanks,
    Peter.

    Thread Starter islp

    (@islp)

    @wfpeter Hello, first of all thanks for your kind reply.

    I suppose when a user emails you data the way we did, you receive something similar to the txt produced by the export button. I suppose you can’t name the plugins here too.

    So, if you receive the plugin names in alphabetic order, can you tell me the position of the couple of plugins potentially causing issues? 1 would be the first plugin, 2 the second, and so on.

    Thanks

    Plugin Support wfpeter

    (@wfpeter)

    Hi @islp,

    In alphabetical order, I picked out 12, 14, 15, 23. I assume you maintain some of those on the list as I am unable to find/install some, or unable to guarantee I have the same settings within the others. For this reason, I merely cited them as possible causes because they have names that could suggest affecting the login flow in some way from what I can see (such as mentioning CAPTCHA, users, membership/user management, etc.)

    The best test would still be to ensure Wordfence on its own can log 1 successful login event, then see if multiple return when a certain plugin on the list is reenabled.

    Thanks again,
    Peter.

    Thread Starter islp

    (@islp)

    @wfpeter Ok, thank you very much ??

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.