WordPress.org

Ready to get started?Download WordPress

Forums

All In One WP Security & Firewall
[resolved] Feature Request: Login Lockdown Whitelist (13 posts)

  1. debenedictis
    Member
    Posted 5 months ago #

    Hi,
    I would like to exempt 3 or 4 IP addresses from the Login Lockdown protections. I have some users at fixed IPs that sometimes forget their password. I don't want to ever lockout the users at those IPs; though I do want to lockout other IPs that have users that try incorrect passwords.

    Is there a way to do that now?

    Robert

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  2. mbrsolution
    Member
    Posted 5 months ago #

    Hello debenedictis, try the following

    WP Security >> User Login >> Login Whitelist and select Enabling IP Whitelisting. This will display your current IP, if you wish you include it as well. Further down you can add all the IP address and or IP address range to the Enter Whitelisted IP Addresses box.

    If you need any more help let us know.

    Kind regards

  3. wpsolutions
    Member
    Plugin Author

    Posted 5 months ago #

    @debenedictis,
    Currently the lockout feature does not exempt certain IP addresses from being locked out.
    The white list feature will only control who can get access to the login/wp-admin pages but those users can still get locked out if they get user/pass wrong.

    We will look into what you have suggested and see if we can implement something in a future update.

  4. debenedictis
    Member
    Posted 5 months ago #

    @wpsolutions

    Thank you.

    If you do update the plugin to support a lockdown whitelist please update this ticket.

  5. sdesigns
    Member
    Posted 5 months ago #

    Adding this feature would be great as I have the same problem. People keep using a cappital letter when it should be lowercase or the reverse then they get locked out.

  6. thinkwired
    Member
    Posted 4 months ago #

    I made a similar request about a month ago; http://wordpress.org/support/topic/whitelist-valid-users?replies=2

    Rather than suggest a solution I'd just like to reiterate the problem and let the developer decide the best way to solve the need.

    How do we stop legitimate users, who are in some cases paying customers, from being locked out for doing something silly like misspelling their username?

    It would be nice to either whitelist known users OR select usernames to autoblock rather than autoblocking all unknown usernames.

    Best!

  7. wpsolutions
    Member
    Plugin Author

    Posted 4 months ago #

    Hi guys,
    In order for the lockout feature to actually lock somebody out they have to get their username (or password) wrong multiple times.

    If someone is consistently getting their login details wrong, then in normal security practice this should sound alarm bells because you are most likely dealing with someone who is illegitimately trying to log in.

    All of your suggestions are fine but they also open up more security holes because we would be making exceptions for people who can't remember their own account details.

    Having said that, we still want to think about this more carefully to see if there are ways to cater for what you are all asking for but with the least security compromises.

    (Don't forget, that the administrator can easily unlock any user by clicking the "unlock" link in the table which lists locked out users in the lockout settings page)

  8. thinkwired
    Member
    Posted 4 months ago #

    "we would be making exceptions for people who can't remember their own account details"

    Exactly... how do we make exceptions for people who can't remember their own account details? I know it sounds crazy and unbelievable but, it is happening. I have 50 or so user accounts and legitimate users get locked out 2-3 times per month. If things go well I expect to have 100 or so members in the next few months which means I will be dealing with angry users 4-6 times per month.

    Rather than "Instantly Lockout Invalid Usernames:" it might be nice to create a manual list of usernames to instantly lockout.

  9. wpsolutions
    Member
    Plugin Author

    Posted 4 months ago #

    After having a think about this, we feel we might have a couple of ideas in mind which should solve the issue of legitimate users locking themselves out.

    We may introduce something in the next release or the one after (depending on how busy we are)
    Will keep you guys posted.

  10. thinkwired
    Member
    Posted 4 months ago #

    If this is your solution, it is brilliant; "Check this if you want to allow users to generate an automated unlock request link which will unlock their account"

    Can you tell us exactly how this feature works? I assume any locked out user can enter their email and receive a link to unlock their ip? Its safe to assume spammers and automated bots will not do this.

  11. thinkwired
    Member
    Posted 4 months ago #

    Uh oh, I just tried this out and it seems as though you need to know your username... half of my lockouts are caused by people entering a wrong username. usually off by one letter -- probably a mistype.

  12. wpsolutions
    Member
    Plugin Author

    Posted 4 months ago #

    I still can't believe people cannot remember their own user names!

    Ok we will modify the feature so that the locked out user will only have to enter email address when they submit an unlock request.

  13. thinkwired
    Member
    Posted 4 months ago #

    The problem is, people use all kinds of different usernames across the web. My site offers a blog and a forum, I have users who use different names to login to both. I don't understand it but the usability feedback/research doesn't lie. End users are not like us.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.