Seemingly weird behavior with limit login attempts

  • Hello. This is really a great plugin, keep up the excellent work!

    I’m getting a weird behavior with the limit login attempts feature. A few clients have complained that when they went to log in to their sites they were already blocked from logging in. The feature is using default settings and clients claim they did not enter the password incorrectly multiple times (most of them use password managers). And there was one case where the client was already logged in a couple days ago but when they went to use the administration panel it was blocked for over 20 hours. After I disabled the feature the client could jump straight to the panel, because he was already logged in but was locked.

    Checking the block logs I can see the brute force login attempts on the clients’ logins but what’s stumping me is, how is my client’s machine blocked if they didn’t do it themselves and these attempts were made by someone else?

    So I thought of something. Most ISPs in Brazil seem to use CGNAT, and since multiple users share the same IP address when under CGNAT, this is the only possibility I could think of – that someone else triggered the block for my client’s IP address. But what are the odds that this someone was using the same ISP and the same IP address to try to brute force their way in? I may very well be talking nonsense but, that’s it.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Bowo

    (@qriouslad)

    @denisgomesfranco thank you for reporting this. Your theory sems like a plausible explanation. What does the blocked IP address(es) look like? If you google “IP info” and check those addresses, what info do you get?

    Additionally, in the failed login attempts log, do you see multiple IP addresses having more than one lockouts?… or, just a single IP address?

    Plugin Author Bowo

    (@qriouslad)

    @denisgomesfranco please install this v7.7.0 that contains some changes to how IPv4 / IPv6 addresses are validated: https://www.wpase.com/sdc_download/1879/?key=zfjbirf7p3z3fw2hxtxppaz6bu04d6 and let me know if this fixes the issue you are seeing.

    Thread Starter denisgomesfranco

    (@denisgomesfranco)

    Hi @qriouslad , I will test v7.7 as soon as possible. In the meantime I reviewed the logs for that site where the client was already logged in and then found himself blocked, and found an interesting thing.

    I have checked about 40 IP addresses that were logged and they were all from outside the country. Some IPs had a lot of block attempts such as 62, 91, etc. Most of them were from VPS providers (of course).

    Plugin Author Bowo

    (@qriouslad)

    @denisgomesfranco please test using the v7.7.0 I linked in my previous reply, which contains some modification not found in the official v7.7.0.

    Are those IPv4 addresses that had a lot of failed login attempts? Not IPv6 addresesse?

    Thread Starter denisgomesfranco

    (@denisgomesfranco)

    Okay, I’ll test and try to report back since this problem seems to happen mostly randomly. I saw some IPv6 addresses but none were trying to access the client’s username or email address.

    Plugin Author Bowo

    (@qriouslad)

    @denisgomesfranco noted. Another thing to check is if your site is behind a proxy, e.g. Cloudflare. If so, might be useful to set the preferred HTTP header to detect visitor’s IP address.

    Thread Starter denisgomesfranco

    (@denisgomesfranco)

    None of the sites are behind Cloudflare.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.