Perhaps the lockout DID happen after the first 4 attempts and their script kept attempting? (Thus generating the 100+ entries in Activity Monitor?)
From the email generated by the plugin:
4 failed login attempts (1 lockout(s)) from IP: 80.165.154.119
Yeah, same here. There’s a Ukranian IP that’s been trying every now and again for about a hundred times to login as admin for 3 days now and in the plugin settings it just says “admin (1 lockout)”, while my log files have
93.183.***.*** - - [10/Mar/2012:13:47:15 +0000] "POST /wp-login.php HTTP/1.0" 200 5650 "http://[my server]/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:4.0) Gecko/20100101 Firefox/4.0"
repeated for about a hundred times even after there should theoretically be a lockdown. I assume that instead of getting a 403, the login page is still shown, but with a notice that you can’t log in anymore.
I’m getting the same thing. Close to 100 attempts before getting only one lockout.
I assume that instead of getting a 403, the login page is still shown, but with a notice that you can’t log in anymore.
I think you’re right. I was able to continue to make login attempts even though I intentionally locked myself out. So, even if the hit the right user/pass combo they can’t get in since they are locked out.
All of the attempts were logged in Activity Monitor.
robanna,
Were you able to verify first-hand that a user cannot log in after lockout—even with the correct user/pass combo?
cjackson23,
Yes I was. I locked myself out and then used the correct combo and was not able to get in until I reset the lockout.
If you don’t care about traffic from that Ukrainian domain, just add the full IP address ‘range’ to your site’s .htaccess deny list. I usually lookup the full range of the blocked IP address at http://www.ipchecking.com/. Then manually edit your .htaccess or use cPanel IP Deny Manager to append .htaccess – range is special without spaces: 123.456.789.11-123.456.789.13 This method will permanently block a domain and is not affected by the limit-logon-attempts plugin operations.
Plugin Contributor
johanee
(@johanee)
As noted above the attempts will still get logged in access logs and with tools such as Activity Monitor even when they are being blocked by the plugin.
The visitor (bot) gets a login page with information about the lockout and no attempt to login is actually made.
It is not a bad idea to block specific IP in htaccess as they can make more trouble apart from trying to log in (spam, etc).
It is not a bad idea to block specific IP in htaccess as they can make more trouble apart from trying to log in (spam, etc).
awoz & johanee,
I get multiple login attempts every day on a couple of my sites. I’m wondering what it is that attracts them? Something in the META header info? Any insights?
Plugin Contributor
johanee
(@johanee)
It seems that most WordPress blogs get a lot of login attempts these days. I get them on a number of blogs. An unfortunate fact of having a WP blog these days it appears.
I guess there are people that has automated probing for and then attempting a brute force login.
It would be interesting to set up a honeytrap style WP installation and watch what they’ll do once they are inside.
