WordPress.org

Ready to get started?Download WordPress

Forums

Theme My Login
[resolved] Too many login attempts (30 posts)

  1. DivaVocals
    Member
    Posted 2 years ago #

    Every user (yep even the admins) are getting the message that they made too many login attempts and that their accounts are locked out for the next 17 hours. This was working just fine for the last few weeks..

    I had to delete the plugin folder from the back-end JUST to get back into my site's back end.. **sigh** I love this plugin, but I have no clue what the issue is..

    http://wordpress.org/extend/plugins/theme-my-login/

  2. DivaVocals
    Member
    Posted 2 years ago #

    Well I re-installed it and still continue to get the same error.. Is there something that I am unaware of that would cause this issue???

  3. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    Nothing short of too many login attempts. You may need to go into the user admin and "unlock" users.

  4. DivaVocals
    Member
    Posted 2 years ago #

    Except EVERY user was locked out.. They ALL didn't try to log in and get locked out..

    I could NOT get in with my own admin login to unlock folks, and I KNOW I didn't not make more than 5 login attempts.. It gave me the locked out message on my FIRST login attempt.. I also logged in with a backup account I have setup and was informed that it too was locked out after the FIRST login attempt..

    The only way I could get back into the client's site was to delete the theme-my-login plugin folder..

  5. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    Are you able to access the database directly, with phpMyAdmin or any other means? If so, look in the usermeta table for keys "theme_my_login_security" and post the results of a few.

  6. DivaVocals
    Member
    Posted 2 years ago #

    meta_key meta_value
    theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475373"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475374"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475375"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475376"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475376"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561776"";}"
    theme_my_login_security " a:2:{s:9:""is_locked"";s:0:"""";s:21:""failed_login_attempts"";a:3:{i:0;a:2:{s:4:""time"";s:10:""1326771755"";s:2:""ip"";s:14:""108.38.100.103"";}i:1;a:2:{s:4:""time"";s:10:""1326771772"";s:2:""ip"";s:14:""108.38.100.103"";}i:2;a:2:{s:4:""time"";s:10:""1326771777"";s:2:""ip"";s:14:""108.38.100.103"";}}}"
    theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475310"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475311"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475312"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475313"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475314"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561714"";}"
    theme_my_login_security " a:2:{s:9:""is_locked"";s:0:"""";s:21:""failed_login_attempts"";a:1:{i:0;a:2:{s:4:""time"";s:10:""1326332925"";s:2:""ip"";s:13:""96.229.129.29"";}}}"
    theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475445"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475446"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475447"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475448"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475448"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561848"";}"
    theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475413"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475414"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475415"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475416"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475417"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561817"";}"

  7. Atifasif
    Member
    Posted 2 years ago #

    I have some issue with this plugin after installing theme my login wp-admin page redirect to this login page which i dont want how i can remove this redirection??? please help me

    when we login through theme my login page and click on dash board than admin automatically sign out and go on same login page why? what is the problem with this plugin??? please help me out...i think thats why user try to sign in again and you guys facing blocking issue

  8. DivaVocals
    Member
    Posted 2 years ago #

    Atifasif - Dude.. for reals?????

    START YOUR OWN POST!!!!! your issue is not the same as the one I am reporting here..

  9. Atifasif
    Member
    Posted 2 years ago #

    @ DivaVocals you are not the owner of wordpress mind it and this is not your website and if by mistake I posted some thing here by mistake than you should not get hyper mind it.

    Because these are public forums and every one come forward and post here. Understood????

  10. DivaVocals
    Member
    Posted 2 years ago #

    @Atifasif - Yeah.. okay.. Got it.. I don't own WordPress.. whatever.. **SMH**

  11. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    So, according to the data, not every one of them is locked. Those that are locked, all occured from the same IP address.

  12. DivaVocals
    Member
    Posted 2 years ago #

    I saw that too.. Those are all the same username though.. What's interesting though Jeff is that my two logins wasn't one of those that were locked out according to the data.. I attempted to log in when I was alerted by my other admins that they were locked out.. That's when I got the too many login attempts on my FIRST login try... Very strange..

  13. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    They can't all be the same username because there is only one set of theme_my_login_security meta data per user.

  14. overchecking
    Member
    Posted 2 years ago #

    My admin account was locked out for 24 hours with the same IP 80.165.154.119 tonight, had disable/Re-Enable Theme My Login plugin so could login to dashboard.

    I advise all of yous to block this IP and report it.

  15. DivaVocals
    Member
    Posted 2 years ago #

    Sorry Jeff that was typo.. It should have read "they AREN'T all the same username". and yes ALL of my users were locked out admins and all..

    Bottomline is ALL my users didn't try to login and get locked out.. I didn't try to log in at all until I was alerted to the issue of folks being locked out and I got the locked out message when I made my FIRST attempt to login. There really is some kind of issue here, and unlike overchecking, disable/re-enable did not work for me.. the ONLY way I made the error go away was to delete the Theme my Login folder from my plugins folder via FTP so that I could log back in..

    This is starting to feel like some kind of bot attack...

  16. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    Well, just like @overchecking just mentioned, he/she had the same IP address show up. So, it is an attack - and the plugin is doing it's job!

  17. DivaVocals
    Member
    Posted 2 years ago #

    I need to be sure I am understanding you correctly when you say the plugin is doing it's job..

    The user names that the log shows were locked DID NOT include MY admin user names (Remember I said I have two admin accounts I use).. Neither one of my user names contained the failed login attempts data, and yet BOTH of my admin accounts were locked too..

    Is that the way the plugin is supposed to work??

    All the user accounts get attacked, the admin accounts do not, the user accounts are locked (according to the table data), but the admin accounts are not (again according to the table data), YET the admins are unable to log in and the message given is that the account is locked due to too many login attempts..

    Is THAT the way the plugin is supposed to work???

  18. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    The data you posted is ALL of the security meta?

  19. DivaVocals
    Member
    Posted 2 years ago #

    No.. What I posted was only the records in the usermeta table with the keys "theme_my_login_security". None of these records were for my admin users.. there were 10 users altogether at that time. 4 admins and (at the time this happened) 6 registered users. Since then I've had one more registered user, but they were not affected by this as they registered after the fact..

  20. DivaVocals
    Member
    Posted 2 years ago #

    Sooooooo... is there an answer/solution for what happened here????? or????????

  21. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    Sorry, no. As previously stated, the code only logs invalid login attempts if they happen... and only "locks" out an account when the threshold defined in the settings is reached.

  22. DivaVocals
    Member
    Posted 2 years ago #

    I understand how this should work, but that's not at all how it worked on this site.. My 2 admin accounts were both locked out and they didn't make 5 login attempts. The other site admins were also locked out and they also didn't make multiple login attempts either. The data makes it look as if ALL the subscribers made multiple login attempts.. **shrugs**

    I may have to look at a different option for this site.. The site is too busy to have to address mass lockouts on a regular basis.. Plus I think tha I need to enforce strong passwords for accounts on this site.. The one plugin that adds strong password enforcement looks like it will clash with Theme My Login..

    Anyway.. Thanks for your response..

  23. rolandogomez
    Member
    Posted 2 years ago #

    Personally I was recommended this plugin by Bullet Proof Security, as I use their plugin plus also use Limit Login Attempts. I installed it in 11 websites yesterday, and all work well. I've been adding extra security as their is a rash of automated scripts trying to break into people's WP installations.

    What I'm gathering, for those that experience "admin" lockouts, first of all, you should never have your /yourdomain.com/wp-admin or wp-login.php where your default username is "admin." You're asking for trouble if you do. If you do a search, you can find out how to change that if you have it set up that way. I'll give you an example, a specific IP address tries to login, get's locked out, especially if you use "Limit Login Attempts" plugin, then you install this beautiful plug-in, and you will immediately be locked out.

    If this happens, always use two browsers when adding plugins, i.e., Google Chrome and Firefox, keep both open in admin. After installing a plugin, do not activate until you open your other browser to your plugins in admin, then activate the plugin in one browser, test it, if it doesn't work, delete it from the other browser--or you can FTP and delete it if you prefer one browser.

    So bottom line, if you add Jeff's beautiful plugin, make sure you reset your "Limit Login Attempts" so you don't get locked out if you have blocked people of the LLA plugin. I also found out you can run both, I have both turned on, both with different settings.

    Of note, I also renamed my "login" page this plugin creates, plus renamed the URL when editing in page edit mode, i.e., instead of yourdomain.com/login it's something like yourdomain.com/come-on-in/ or whatever you prefer. I also renamed, not deleted, so if I need it later it's there, the wp-login.php file to something like wp-login.phpSaveForEmergencies

    So now I have several layers of protection. If a hacker goes to mydomain.com/wp-login.php they get page not found. If they go to mydomain.com/wp-admin obviously they are redirected, but that might mean they will have to work harder as I have a weird name for my login/logout page. If they break in past Limit Login Attempts, they have to break in past Theme My Login page security. Not to mention I have installed Bullet Proof Pro so that adds a steal front door to begin with. You might also look at SpamTrawler too, it's not a WP plugin and it's installed in your server root directory, but it protects WP, Socialengine, Vbulletin, etc., anything on your site from spammers, but you can also block countries out too!

    Every bit of protection helps and this plugin is just one layer, but the more layers you have, the better off you arre--and that's layers on your server and your WP installation, not just WP. Just my thoughts and I bought my products and am not employed by products mentioned here. Thanks!

  24. DivaVocals
    Member
    Posted 2 years ago #

    rolandogomez - While I appreciate your comments, nothing you've suggested/posted seems to apply to situation I am reporting in this topic..

    The site that is the subject of this topic does indeed have Bullet Proof Security installed. There is no administrator account named "admin". Even if there was an "admin" account, BPS won't clear all of it's readiness checks unless and until you rename the "admin" account to something else.

    I do not have the Limit Login Attempts plugin installed so that is NOT a factor either on this site.

    I GET that this was a hack attempt.. what is UNCLEAR is why ALL the user accounts were locked out particularly when the log files indicated that they all did not attempt to login let alone exceed the number of attempted logins. My personal admin accounts on this site are OBSCURE so I doubt a hacker happened to guess it. Let alone guess EVERY SINGLE USER NAME then attempt to login using each user account..

    So let me summarize what happened:

    1. Both of my personal administrator login accounts to this site were locked out for exceeding the number of login attempts even though I had not tried to login using either one of my administrator accounts.
    2. The other two site administrator accounts were ALSO locked out even though they had not attempted to login in let alone exceed the number of login attempts.
    3. NONE of the administrator accounts are named admin
    4. the site had BPS installed BEFORE I reported this issue.
    5. This is the ONLY client site that has this same mix of security plugins where I have this issue.
    6. The lockout lasted LONGER than the threshold I set for lockouts and so the ONLY WAY to release the site was to delete the Theme My Login plugins folder.
    7. When I attempted to installing a fresh copy of Theme My Login it resulted in the EXACT same lockout occurring as soon as I logged out of the admin and attempted to log back in.

    Since there doesn't seem to be a clear reason why this happened, I have had to remove Theme My Login from this site. I have installed a different plugin to instead enforce strong passwords for accounts on this site.. The one plugin that adds strong password enforcement looks like it will clash with Theme My Login (overlapping features).. So no more Theme My Login on this site.. I also added a login tracker plugin so I can SEE what's happening, and so far with the exception of a stray bot trying to login using "admin", there have been no more issues with mass lockouts on this site..

    I need to note that this ONLY occurred on this site.. other sites where I have the same mix of plugins are not misbehaving..

  25. rolandogomez
    Member
    Posted 2 years ago #

    DivaVocals,

    Thanks for the explanation. I'm no programmer or coder, I get by ;) Funny how this only happened to one site, obviously something is conflicting. I've been buttoning down the hatches with everything I know because there are tons of bots running around trying to login as "admin" and of the 11 sites I manage, they're constantly getting hit--so I set the login attempts to two tries, two times locked out for 1440 hours ;) It's working. It's a crazy hackers world out there and any layer of protection is better than none. So far all 11 sites are using Theme My Login perfectly. I wish you the best, rg.

  26. Jeff Farthing
    Member
    Plugin Author

    Posted 2 years ago #

    Deleting the plugin would not remove the locks, as they are saved in the DB. You would have to delete each of those meta values that you posted.

    Also, the lock isn't cleared for a particular account until it is successfully logged in after the expiration time or manually cleared.

  27. DivaVocals
    Member
    Posted 2 years ago #

    Yes Jeff I understand.. but accounts that weren't supposed to be locked were indeed locked, and that is the issue I had.. Also the locks did not expire so everyone remained locked out (even the accounts that should not have been locked out..)

  28. Oliver.Ibanez
    Member
    Posted 1 year ago #

    Had the same issue is described here. Not sure how I managed to hit so many failed login attempts ... probably someone try to hack in!

    At any rate it locked me out. To get back in just edit 'theme-my-login/modules/security/security.php'

    Replace this ...

    if ( $time > $expiration )
    					$this->unlock_user( $userdata->ID );
    				else
    					return new WP_Error( 'locked_account', sprintf( __( '<strong>ERROR</strong>: This account has been locked because of too many failed login attempts. You may try again in %s.', 'theme-my-login' ), human_time_diff( $time, $expiration ) ) );

    With this ...

    $this->unlock_user( $userdata->ID );
    				/*if ( $time > $expiration )
    					$this->unlock_user( $userdata->ID );
    				else
    					return new WP_Error( 'locked_account', sprintf( __( '<strong>ERROR</strong>: This account has been locked because of too many failed login attempts. You may try again in %s.', 'theme-my-login' ), human_time_diff( $time, $expiration ) ) );*/

    You'll now be able to log into your admin and make changes to the plugin etc.

  29. sjebelli
    Member
    Posted 1 year ago #

    Thanks Oliver.Ibanez, this worked for me now.
    how can i see the attacker ip address?

  30. avanslyke
    Member
    Posted 1 year ago #

    Wow, I just had the exact same issue. Thank you Oliver.Ibanez, this worked for me now too! 23-Jan-2013

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic