• Resolved csoszitibor

    (@csoszitibor)


    Hi, your Security Optimizer plugin does not work properly on NginX server. Limit Login attempts is set to 3, but nothing happens on wrong logins after 3 trial.

    • This topic was modified 1 year, 3 months ago by csoszitibor.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter csoszitibor

    (@csoszitibor)

    Maybe we need to write something in the .htnginx file?

    Plugin Support Georgi Ganchev

    (@georgiganchev)

    Hello @csoszitibor,

    The plugin should work under any environment as the login restriction doesn’t happen on NGINX level but through the database of the application. We have developed the plugin so it can be used under any hosting setup.

    When an IP does more than the allowed login attempts it is included and blocked in a table sg_security_unsuccessful_login. The plugin checks this table and if an IP is present it is presented with:

    “The access to that page has been restricted by the administrator of this website” and a 403 response code.

    If you are experiencing any difficulties it might be some configuration on your hosting server or another plugin getting in conflict with this functionality of Security Optimizer.

    Best regards,
    Georgi Ganchev

    Thread Starter csoszitibor

    (@csoszitibor)

    Hello @georgiganchev,

    thanks for your answer. Now it is working fine, our hosting company modified something in server settings.

    We have another questions:

    1.) Is it possible to disable this option?: “Do not challenge me for the next 30 days.” So we want to use Authenticator code on every login attempt.

    2.) We have added a custom filter to enable 2FA for subscribers too. The authentication is fine. We have set with LoginWP plugint that login URL is our frontend. But when a subscriber logs in with backup code, they arrive into admin area. (/wp-admin). How to disable this /wp-admin ?

    thanks

    Tibor

    • This reply was modified 1 year, 3 months ago by csoszitibor.
    Plugin Support Vladimir Trandev

    (@vtrandev)

    Hello @csoszitibor,

    In case, you have already selected the mentioned option for a particular user:

    “Do not challenge me for the next 30 days.”

    the above can be reset via:

    WP Dashboard > Security Optimizer > Login Security > Two-factor Authentication for Admin & Editors Users > “click here” to reset their 2-factor authentication

    If you do not mark the checkbox next time, authentication code will be required each time you login.

    As for the custom filter, it is not recommended to use different plugins with similar functionalities. I would advise you to review your other security plugin’s settings, so both plugins to work as expected. Have in mind that our Security Optimizer has “Custom Login URL” option that could be used if it is suitable to your setup:

    https://siteground.com/tutorials/wordpress/security-optimizer/login-security/#Custom_Login_URL

    Regards,

    Vladimir

    Thread Starter csoszitibor

    (@csoszitibor)

    Hello @vtrandev

    We want our users (with subscriber permission) to use every time a 2FA, so we want to hide the “Do not challenge me for the next 30 days.” option. Is it possible from .CSS?

    We don’t want to change the admin login URL. Our site is for registered users only. We want that after login and 2FA our users to arrive to the frontend, not in the backend. LoginWP generates redirects for after login and after logout events.

    It works fine when a user logs in with application generated codes.
    But when user uses a backup code, they arrive into backend. Maybe it is hardcoded there?

    Regards,
    Tibor

    • This reply was modified 1 year, 3 months ago by csoszitibor.
    • This reply was modified 1 year, 3 months ago by csoszitibor.
    Plugin Support Georgi Ganchev

    (@georgiganchev)

    Hello

    In order to provide your subscriber role users with the 2FA page you should implement the following code in your template’s functions.php:

    add_filter( 'sg_security_2fa_roles', 'add_user_roles_to_2fa' );
    function add_user_roles_to_2fa( $roles ) {
    $roles[] = 'subscriber';
    return $roles;
    }

    After that upon logging into the application for the first time, they will get the newly generated code for their authenticator applications. There is no option to stop the “Do not challenge me for the next 30 days”, but I will suggest such enhancement to our developers for future releases.

    As for the login to the frontend, you should use the codes generated by the authenticator app. The backup codes should be used only if you get locked up from the application and you have no access to the authenticator application on your devices. In such a scenario the login is always to the backend as this is considered to be a last resort option to gain access to your application dashboard and potentially change settings or modify/disable 2FA. It is not possible to change this behavior within the plugin.

    Best regards,
    Georgi Ganchev

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘What to set on NginX servers?’ is closed to new replies.