a1exus

I think I was on 4.4.9 and was still getting error, I’ll let you know if it still there after update.

I just updated it to 4.4.13, are you saying it was fixed at 4.4.13?

Setting Max Login Attempts Per User to “0” isn’t recommended within plugin itself:

The number of login attempts a user has before their username is locked out of the system. Note that this is different from hosts in case an attacker is using multiple computers. In addition, if they are using your login name you could be locked out yourself. Set to zero to log bad login attempts per user without ever locking the user out (this is not recommended)

I think Brute Force Protection could use some improvements, such as I described earlier: instead of blocking username globally (from all IP), why not block that IP (or better network) for extensive period of time thus preventing future brute force attacks and without any interruption to legitimate user.

_THAT_ would make much more sense instead of how it is now! or am I completly off?

thank you for replying to me, and even though it’s obviously important for me to get back to my site, what’s more interesting to me is why

Why can’t iThemes Security block offenders IPs only instead of username

Why not block that IP and/or network? I didn’t attempt to login with wrong password from my IP, so I should be able to get in without any issues! Your plugin should be smart(er) and as I said earlier just block offenders IP/network and disallow their access not mine!

Does it make any sense?

My php is out of the box, I did _NOT_ do anything to prevent it from using mail(), so how does one (dis/en)able mail()?

Why can’t WP use mail() instead of plugin? I’m trying to figure THAT out!

It seems like it came down to SELinux preventing httpd to execute these binaries:

[root@ip-10-150-53-42 ~]# tail -20 /var/log/audit/audit.log | audit2allow 

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_rw_content_t:file execute;
[root@ip-10-150-53-42 ~]#

my regex is already accounts for “wp-login\.php”.

I wouldn’t need to access live servers as the grand idea behind this is to do all changes on another server, and after it’s done (and tested) just push out changes to live server(s), meanwhile have restrict access to /wp-admin and /wp-login.php on live server(s) to reduce brute force attacks.

@macmanx – I tried several times, didn’t help at all.
@buck Talor – No, as it’s appearing on front page just not when I click at the link.

problem was AllowOverride was set to “None”, so I changed it to “All” and now it’s working

Thank you to everyone for your time and help.

updated mine to 2.0.2 and no problems)

thanks!

if anyone wants to grab a copy of jetpack 2.0 here it is..

MD5 (jetpack20.tgz) = 5863a8f28713a2e3ad14b9cef726d920

rm -rf wp-content/plugins/jetpack

you’ll get your site back but w/out jetpack

i can’t find 2.0 (( i dont think mine did db so i should be ok that, but i cant find 2.0 .zip anywhere…

thank you so much) please give my blog some credits for finding this bug))