Visitor locked out after one 404 hit

  • Last night I gave one of my site visitors a direct URL to a page on my website. When my visitor tried to access that URL, she got a 404 message because I forgot I had a certain permission level set for that page that makes the page hidden from everyone who doesn’t have a certain role.

    Right after she saw the 404, my visitor was locked out of my website. She saw a screen that looked like this: https://cdn.discordapp.com/attachments/359149300669743106/671154286641676322/unknown.png

    This is the first time I have ever had this kind of thing reported to me. Is this an iThemes screen?

    My iThemes plugin is set to lock people out if they generate a 404 five times in a 15 minute window. (I seem to get a lot of suspicious 404 hits to my site, thus the aggressive setting.) My visitor swears she only tried the URL I gave her once. However, she lives in a remote area of Canada that still only uses dial-up to access the internet so we wondered if that somehow made her one hit count as five.

    I whitelisted her public IP address in iThemes and that seemed to disable the lockout for her so we could continue the work we were doing.

    Regardless, it seems very strange that this happened at all. Can anybody shed any light on this for me? I need to make sure that my website isn’t locking people out after just one 404 like that.

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi,

    That certainly is an iThemes lockout screen. If you go to Security> Logs and change the module to 404 detection do you see more than one attempt from that user/IP? That would shed some light on how many attempts were made to access that page.

    Thanks,

    Matt

    Thread Starter Iron Dragon

    (@sakaane)

    Hi Matt,

    In the log, my customer’s IP address is listed seven times as trying to access the URL that 404’d. Only five of those instances is associated with the customer’s user account. The other two instances are blank in the user field.

    Since iThemes was set to lockout after five attempts I don’t understand why the log shows seven hits. Surely that can’t be possible if the plugin is respecting the settings properly.

    I’ve asked my customer again to confirm she only tried the URL once and that she didn’t do anything else like refreshing. She says she definitely did not try to access it that many times.

    She did mention that after I whitelisted her and she tried to get back to what we were doing, she had to log in again, ie, the lockout either logged her out automatically or it wiped the login cookie from her browser. Is that intended behavior too?

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Visitor locked out after one 404 hit’ is closed to new replies.