rebornhairppp

Hey wpsolutions,

I am running Apache 2.4.18 and I can see the IP address in my .htaccess file with the syntax “deny from”…

I tried banning my own address but I get an error message: “You cannot ban your own IP address”.

Thank you for the clarification. I look forward to your next release.

I will check with my host provider, but would you happen to know which apache directives I need to add for this feature to work?

Hi wpsolutions,

Thank you.

I just submitted my donation in the amount of $50. Please let me know if you received my payment info.

Thanks again for your sensational help!

Hey mbrsolution,

Haha you’re absolutely right! It’s was more of a collective effort.

You guys are awesome!

Please please keep me informed on when IPv6 will be implemented.

In the meantime, as a small form of my appreciation, how do I send a monetary donation?

Hi wpsolutions,

I just disabled IPv6 from my modem and ethernet card and the lockout feature FINALLY WORKS!

Kudos to you and the rest of the contributors for a job well done!

I will mark this thread as resolved.

I hope going forward you guys can support IPv6 since my ISP said it’s more secure and more websites are giving it a go.

God bless you guys and thank you again for your going the distance! ??

• This reply was modified 7 years ago by rebornhairppp.

Hi wpsolutions,

I just checked with Spectrum and they recently issued an update on my modem which now gives IPv6 precedence over IPv4. They told me IPv6 is more secure and more websites are beginning to support it; hence the update. I know how to disable it, so I’ll go ahead and test it out and report my findings.

Thanks again for your help! Can’t thank you enough!

Hi wpsolutions,

I just checked with Linode and they said everything is configured correctly. I think the issue is stemming from my ISP. I just noticed, my login failed attempts log shows different IPv6 addresses. It looks like IPv6 is not static which would explain why the lockout feature wasn’t working correctly. How can it if different IPv6 addresses are being read from my browser?

I don’t know how this happened and will call Spectrum for more details.

Will keep you posted!

Hi wpsolutions,

My server is hosted by Linode and ISP is Spectrum. Do I need to check with Linode or Spectrum?

Thanks!

Hi wpsolutions,

THANK YOU THANK YOU THANK YOU SO MUCH FOR investigating the culprit. This means a ton. I wasn’t expecting the above and beyond service. You truly exceeded my expectations. ??

I sincerely apologize for taking so much of your valuable time by not disclosing this critical piece of information ahead of time.

My IP address from my computer browser is my public IP address from my ISP. My server’s IPv6 address is different. Plus, my server is configured to primarily run IPv4 address.

By any chance, do you know if any other feature is disabled because of IPv6? I tried running a malware scan using Sucuri’s free website and nothing came back negative except the firewall. Sucuri wasn’t able to detect a firewall on my website, so I am thinking my IPv6 address is probably muting this AIOWPS feature?

If you can kindly let me know whether there are other potential but minor issues as a result of having an IPv6 address and when you plan on supporting IPv6 that would be kindly appreciated!

I might also look into purchasing the feature for blocking international access. I hope that doesn’t conflict with IPv6.

Thank you again for your stellar and generous support. Going out of your way to consider supporting IPv6 address is an act worth blessing you for from the Almighty!

Hey wpsolutions,

I just tried deactivating all my other plugins. Still no success.

My IPv6 address is the one actually being recorded in the failed login table. I don’t know why it’s configured like that.

@mbrsolution – thanks for trying again and submitting my request to the developers.

Thank you very much wpsolutions for reaching out!

I am so irritated by this small hiccup as I know I will probably have to tweak something up on my end!

• This reply was modified 7 years ago by rebornhairppp.

Hey mbrsolution,

To clarify, this feature is still NOT working for me.

What I meant by my previous comment is this feature is recording my failed login attempts but NOT locking me out after 3 failed attempts. I can still enter as many different username and password combinations even after 3 failed attempts.

Why would AIOWPS record my failed login attempts but NOT temporarily lock me out after 3 unsuccessful tries.

CAPTCHA seems to be working just fine as well as pretty much all the other features.

Thank you again for your relentless efforts. I apologize for the confusion and any other inconvenience!

Hey mbrsolution,

Thank you for getting back to me so soon. I know you have thousands of requests you need to reply to, so it means a ton taking the time to respond to my inquiries. I very much appreciate your consciousness and generous heart!

Seems very peculiar to hear it’s working for you. I am running on a fresh install of WP 4.9 and Apache 2.4.18. I just created my WP site a couple of days ago so I don’t have much content or pages.

I actually tried uninstalling and then reinstalling the plugin to see if that would change the scenario – NO lUCK!

I don’t have whitelist enabled. I tried enabling the instantly lockout invalid usernames but still no success.

I have installed a cache plugin but it reads no cache. I even tried to clear my browser’s cache but that still didn’t help.

I have nothing reported in my log files. No error messages, failed attempts, or any other hiccups popping up in those log files.

Please see my current set up below to help with your analysis:
1. Remove WP Generator Meta Info: – Enabled
2. Enable Login Lockdown Feature: – Enabled
3. Allow Unlock Requests – Disabled
4. Max Login Attempts – 3
5. Login Retry Time Period (min) – 5 min (I recently changed this)
6. Time Length of Lockout (min) – 15 min (I recently changed this)
7. Display Generic Error Message – Enabled
8. Instantly Lockout Invalid Usernames – Enabled (just enabled it per your recommendation)
9. Enable Login Lockdown IP Whitelist – Disabled
10. Enable Force WP User Logout – Enabled
11. Logout the WP User After XX Minutes – 60
12. Enable manual approval of new registrations –Enabled
13. Enable Captcha On Registration Page – Enabled
14. Enable Honeypot On Registration Page – Enabled
15. DB Prefix and DB Backup – Disabled (didn’t change the DB table prefix)
16. File Permissions Scan Results – Green (ok)
17. Disable Ability To Edit PHP Files – Enabled
18. Prevent Access to WP Default Install Files – Enabled
19. Enable IP or User Agent Blacklisting – Disabled (didn’t elect in IP or user agent bans)
20. Enable Basic Firewall Protection – Enabled
21. Completely Block Access To XMLRPC – Disabled
22. Disable Pingback Functionality From XMLRPC – Enabled
23. Block Access to debug.log File – Enabled
24. Disable Index Views – Enabled
25. Disable Trace and Track – Enabled
26. Forbid Proxy Comment Posting – Enabled
27. Deny Bad Query Strings – Enabled
28. Enable Advanced Character String Filter – Enabled
29. Enable 6G Firewall Protection – Enabled
30. Enable legacy 5G Firewall Protection – Disabled
31. Block Fake Googlebots: Enabled
32. Prevent Image Hotlinking – Enabled
33. Enable 404 IP Detection and Lockout – Enabled
34. Time Length of 404 Lockout (min) – 5
35. 404 Lockout Redirect URL – https://127.0.0.1
36. Enable Rename Login Page Feature – Disabled
37. Enable Brute Force Attack Prevention (cookie) – Enabled
38. Secret Word: testlogin11
39. Enable Captcha On Login Page – Enabled
40. Enable Captcha On Custom Login Form – Disabled
41. Enable Captcha On Woocommerce Login Form – Disabled
42. Enable Captcha On Woocommerce Registration Form – Disabled
43. Enable Captcha On Lost Password Page – Disabled
44. Enable IP Whitelisting – Disabled
45. Enable Honeypot On Login Page – Disabled
46. Enable Captcha On Comment Forms – Enabled
47. Block Spambots From Posting Comments – Enabled
48. Minimum number of SPAM comments – 1
49. Minimum number of SPAM comments per IP – 1
50. Enable Automated File Change Detection Scan – Disabled
51. Enable Front-end Lockout – Disabled
52. Enable iFrame Protection – Enabled
53. Disable Users Enumeration – Enabled

Again, the weird thing is I can see my failed login records but not my locked out IP address in my WP Security Dashboard.

Please help with the troubleshooting as I have spent nearly 36 hours trying to find a solution.

Thank you very much!

Hey scpsc,

I am only operating one site.

I looked at mysql database and AIOWPS creates six wordpress tables. There’s a specific table for login lockdowns, titled Table wp_aiowps_login_lockdown in database wordpress.
When I actually click on view data I see no data.

On the contrary, when I click on a different table titled Table wp_aiowps_failed_logins in database wordpress and click view data, I can see a track record of all the failed attempts with the user_login, failed_login_date, and login_attempt_id.

My two cents: I think there might be a bug in AIOWPS that’s not setting, for example, option_values = ‘ ‘ WHERE option_name = ‘limit_login_lockouts’ LIMIT 1; Note, 1 is the number of login attempts allowed before you get locked. I used https://www.wpbeginner.com/wp-tutorials/how-to-unblock-limit-login-attempts-in-wordpress/ to validate my unconfirmed logic.

I also read somewhere, there should be a login lock out folder/file created in your plugins folder after this feature is enabled and tested. I have no such folder or file.

From what I read in the first 70 pages of this forum is you might need to go through all the other steps in securing a firewall, completely blocking access to XMLRPC OR
disabling pingback functionality from XMLRPC, etc. There is a perfect tutorial video that might be helpful in configuring AIOWPS from start to finish completely. Here it is: https://www.youtube.com/watch?v=aQYlvTMqcSM

You may also try clearing your browser cache AND WordPress cache by installing a cache plugin like W3 Total Cache (though, doesn’t support latest 4.9 WP version).

Lastly, I am not sure if this makes a difference, but I have the .htaccess and index.php files in my root directory (public_html) and also in my wordpress subdirectory folder. I had to include these two files in my root because I modified my site url address to remove the /wordpress subdomain. For example, instead of having to type https://www.example.com/wordpress to get to my website, you only now have to type https://www.example.com.

The .htaccess in my wordpress subdirectory folder gets automatically created by AIOWPS when you enable the basic firewall or when you check the “Completely Block Access To XMLRPC” feature. My index.php file in the wordpress subdirectory folder is just the original or a backup of the one in my root folder which probably doesn’t bear any relevance to my issue.

I am gonna try watching that YouTube tutorial and video and complete the configuration to see if that fixes the issue.

Good luck and let me know if you find any startling news or fix the issue. I will report the same.

Joe