Users reporting "blocked by login security setting" messages.

Hello siriusly!
It could be a conflict with the membership plugin. I suggest you first try to soften the rules under “Options”/”Login Security Options”. Leave “Prevent discovery of usernames through ‘/?author=N’ scans” on if you’ve had it on for a while.

I’m having the same issue but do not have the membership plugin.
The only change I made to my site was update the plugin – soon after that I had MANY visitors letting me know about this error and not being able to access the site.
It seemed to be happening mostly to mobile users and people who were clicking my links from a Facebook page or from twitter.
I softened the Login Security options to try and resolve the issue but it didn’t help.
The only way I could resolve the issue was to revert back to the previous version of the plugin.

Hi — Thanks for the prompt reply! Here are the settings that I’m using in login security options now… I changed the “Don’t let WordPress reveal valid users in login errors” to UNCHECKED but am still having the same problem.

Enforce strong passwords? Force admins & publishers…
Lock out after how many login failures: 20
Lock out after how many forgot password attempts: 6
Count failures over what time period: 5 minutes
Amount of time a user is locked out: 1 hour
Immediately lock out invalid usernames: UNCHECKED
Don’t let WordPress reveal valid users in login errors: UNCHECKED
Prevent users registering ‘admin’ username if it doesn’t exist: CHECKED
Prevent discovery of usernames through ‘/?author=N’ scans: CHECKED
Immediately block the IP of users who try to sign in as these usernames: admin

Hello again!
The last plugin update was very minor so I think we should investigate other possible causes first.

Are you using the free or premium version? (Premium has country blocking)

Are you running a beta version of the plugin or did you update the regular way?

Are you behind a reverse proxy? (If you are, the Live Traffic view will only be reporting one single IP-address).

Hi — Here are answers to your questions:
Using the free version
Updated the regular way (had auto updates turned on)
No reverse proxy
Thanks!

Hi — Just checking back in… still having the same issue. Any additional thoughts? Thanks!

I had the exact same message occur for the first time ever today. No settings changed for a long time. Using the latest free version.

Hello again siriusly,
sorry for the late reply. I think there might be something off about how the IPs are reported to Wordfence. That’s usually the case when these type of problems occur. So we should try to verify that. Could you go through the short bulletpoint list here and check if your IP is being reported correctly by Wordfence?

Hello, I am having the same issue as “sirusly”, same settings, on 5 sites from multiple viewers, with different IP’s. A couple of sites on the same server cleared up by themselves. They also all appear to be blocking the WordPress.com Jetpack automatic plugin updates??
After requesting to be unblocked as an admin I was able to successfully log in.
Any new ideas?

Would it be safe to use the “Click here to unblock all IP addresses.” option in the unblock email to clear this?

Sorry, for one piece of info at a time…
My IP is not being reported by the plugin. It is reporting the server IP. But some of the sites that are not blocking are also reporting the server IP.

Hello sandyjuettner242,
if the server IP is being logged instead of your own IP you need to change how Wordfence determines IP-addresses. Under “Options”/”Basic options” you’ll find a setting called “How does Wordfence get IPs”. If you are using Cloudflare you should choose “CF-Connecting-IP” here. If you have Nginx or similar, you should test with the “X-Forwarded-For HTTP” or “X-Real-IP HTTP header”. When you have changed the settings, do the IP-test again to make sure your IP is being logged correctly.

If you don’t know if you have Nginx, other reverse proxy or Cloudflare please check this with your web host. More information about how Wordfence gets IPs can be found here.

Thank you for the reply.
I checked with host. There is no reverse proxy, Cloudflare is not on, and no varnish or other caching. The only way I could stop visitors from being blocked is to drop the security level down to 2 where the lock out time is blank. They are not active blogs, so this should be okay.
Thanks again.

Update: Yesterday, with no changes made, the correct IP’s are being reported.

Hello sandyjuettner242,
we released a new version of Wordfence yesterday. Maybe the update fixed it?