Posted 4 months ago #
Every user (yep even the admins) are getting the message that they made too many login attempts and that their accounts are locked out for the next 17 hours. This was working just fine for the last few weeks..
I had to delete the plugin folder from the back-end JUST to get back into my site's back end.. **sigh** I love this plugin, but I have no clue what the issue is..
Posted 4 months ago #
Well I re-installed it and still continue to get the same error.. Is there something that I am unaware of that would cause this issue???
Posted 4 months ago #
Nothing short of too many login attempts. You may need to go into the user admin and "unlock" users.
Posted 4 months ago #
Except EVERY user was locked out.. They ALL didn't try to log in and get locked out..
I could NOT get in with my own admin login to unlock folks, and I KNOW I didn't not make more than 5 login attempts.. It gave me the locked out message on my FIRST login attempt.. I also logged in with a backup account I have setup and was informed that it too was locked out after the FIRST login attempt..
The only way I could get back into the client's site was to delete the theme-my-login plugin folder..
Posted 4 months ago #
Are you able to access the database directly, with phpMyAdmin or any other means? If so, look in the usermeta table for keys "theme_my_login_security" and post the results of a few.
Posted 4 months ago #
meta_key meta_value
theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475373"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475374"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475375"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475376"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475376"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561776"";}"
theme_my_login_security " a:2:{s:9:""is_locked"";s:0:"""";s:21:""failed_login_attempts"";a:3:{i:0;a:2:{s:4:""time"";s:10:""1326771755"";s:2:""ip"";s:14:""108.38.100.103"";}i:1;a:2:{s:4:""time"";s:10:""1326771772"";s:2:""ip"";s:14:""108.38.100.103"";}i:2;a:2:{s:4:""time"";s:10:""1326771777"";s:2:""ip"";s:14:""108.38.100.103"";}}}"
theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475310"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475311"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475312"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475313"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475314"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561714"";}"
theme_my_login_security " a:2:{s:9:""is_locked"";s:0:"""";s:21:""failed_login_attempts"";a:1:{i:0;a:2:{s:4:""time"";s:10:""1326332925"";s:2:""ip"";s:13:""96.229.129.29"";}}}"
theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475445"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475446"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475447"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475448"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475448"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561848"";}"
theme_my_login_security " a:3:{s:9:""is_locked"";s:1:""1"";s:21:""failed_login_attempts"";a:5:{i:0;a:2:{s:4:""time"";s:10:""1327475413"";s:2:""ip"";s:14:""80.165.154.119"";}i:1;a:2:{s:4:""time"";s:10:""1327475414"";s:2:""ip"";s:14:""80.165.154.119"";}i:2;a:2:{s:4:""time"";s:10:""1327475415"";s:2:""ip"";s:14:""80.165.154.119"";}i:3;a:2:{s:4:""time"";s:10:""1327475416"";s:2:""ip"";s:14:""80.165.154.119"";}i:4;a:2:{s:4:""time"";s:10:""1327475417"";s:2:""ip"";s:14:""80.165.154.119"";}}s:15:""lock_expiration"";s:10:""1327561817"";}"
Posted 4 months ago #
I have some issue with this plugin after installing theme my login wp-admin page redirect to this login page which i dont want how i can remove this redirection??? please help me
when we login through theme my login page and click on dash board than admin automatically sign out and go on same login page why? what is the problem with this plugin??? please help me out...i think thats why user try to sign in again and you guys facing blocking issue
Posted 4 months ago #
Atifasif - Dude.. for reals?????
START YOUR OWN POST!!!!! your issue is not the same as the one I am reporting here..
Posted 4 months ago #
@ DivaVocals you are not the owner of wordpress mind it and this is not your website and if by mistake I posted some thing here by mistake than you should not get hyper mind it.
Because these are public forums and every one come forward and post here. Understood????
Posted 4 months ago #
@Atifasif - Yeah.. okay.. Got it.. I don't own WordPress.. whatever.. **SMH**
Posted 4 months ago #
So, according to the data, not every one of them is locked. Those that are locked, all occured from the same IP address.
Posted 4 months ago #
I saw that too.. Those are all the same username though.. What's interesting though Jeff is that my two logins wasn't one of those that were locked out according to the data.. I attempted to log in when I was alerted by my other admins that they were locked out.. That's when I got the too many login attempts on my FIRST login try... Very strange..
Posted 4 months ago #
They can't all be the same username because there is only one set of theme_my_login_security meta data per user.
Posted 4 months ago #
My admin account was locked out for 24 hours with the same IP 80.165.154.119 tonight, had disable/Re-Enable Theme My Login plugin so could login to dashboard.
I advise all of yous to block this IP and report it.
Posted 4 months ago #
Sorry Jeff that was typo.. It should have read "they AREN'T all the same username". and yes ALL of my users were locked out admins and all..
Bottomline is ALL my users didn't try to login and get locked out.. I didn't try to log in at all until I was alerted to the issue of folks being locked out and I got the locked out message when I made my FIRST attempt to login. There really is some kind of issue here, and unlike overchecking, disable/re-enable did not work for me.. the ONLY way I made the error go away was to delete the Theme my Login folder from my plugins folder via FTP so that I could log back in..
This is starting to feel like some kind of bot attack...
Posted 4 months ago #
Well, just like @overchecking just mentioned, he/she had the same IP address show up. So, it is an attack - and the plugin is doing it's job!
Posted 4 months ago #
I need to be sure I am understanding you correctly when you say the plugin is doing it's job..
The user names that the log shows were locked DID NOT include MY admin user names (Remember I said I have two admin accounts I use).. Neither one of my user names contained the failed login attempts data, and yet BOTH of my admin accounts were locked too..
Is that the way the plugin is supposed to work??
All the user accounts get attacked, the admin accounts do not, the user accounts are locked (according to the table data), but the admin accounts are not (again according to the table data), YET the admins are unable to log in and the message given is that the account is locked due to too many login attempts..
Is THAT the way the plugin is supposed to work???
Posted 4 months ago #
The data you posted is ALL of the security meta?
Posted 3 months ago #
No.. What I posted was only the records in the usermeta table with the keys "theme_my_login_security". None of these records were for my admin users.. there were 10 users altogether at that time. 4 admins and (at the time this happened) 6 registered users. Since then I've had one more registered user, but they were not affected by this as they registered after the fact..
Posted 3 months ago #
Sooooooo... is there an answer/solution for what happened here????? or????????
Posted 3 months ago #
Sorry, no. As previously stated, the code only logs invalid login attempts if they happen... and only "locks" out an account when the threshold defined in the settings is reached.
Posted 3 months ago #
I understand how this should work, but that's not at all how it worked on this site.. My 2 admin accounts were both locked out and they didn't make 5 login attempts. The other site admins were also locked out and they also didn't make multiple login attempts either. The data makes it look as if ALL the subscribers made multiple login attempts.. **shrugs**
I may have to look at a different option for this site.. The site is too busy to have to address mass lockouts on a regular basis.. Plus I think tha I need to enforce strong passwords for accounts on this site.. The one plugin that adds strong password enforcement looks like it will clash with Theme My Login..
Anyway.. Thanks for your response..
Posted 3 months ago #
Personally I was recommended this plugin by Bullet Proof Security, as I use their plugin plus also use Limit Login Attempts. I installed it in 11 websites yesterday, and all work well. I've been adding extra security as their is a rash of automated scripts trying to break into people's WP installations.
What I'm gathering, for those that experience "admin" lockouts, first of all, you should never have your /yourdomain.com/wp-admin or wp-login.php where your default username is "admin." You're asking for trouble if you do. If you do a search, you can find out how to change that if you have it set up that way. I'll give you an example, a specific IP address tries to login, get's locked out, especially if you use "Limit Login Attempts" plugin, then you install this beautiful plug-in, and you will immediately be locked out.
If this happens, always use two browsers when adding plugins, i.e., Google Chrome and Firefox, keep both open in admin. After installing a plugin, do not activate until you open your other browser to your plugins in admin, then activate the plugin in one browser, test it, if it doesn't work, delete it from the other browser--or you can FTP and delete it if you prefer one browser.
So bottom line, if you add Jeff's beautiful plugin, make sure you reset your "Limit Login Attempts" so you don't get locked out if you have blocked people of the LLA plugin. I also found out you can run both, I have both turned on, both with different settings.
Of note, I also renamed my "login" page this plugin creates, plus renamed the URL when editing in page edit mode, i.e., instead of yourdomain.com/login it's something like yourdomain.com/come-on-in/ or whatever you prefer. I also renamed, not deleted, so if I need it later it's there, the wp-login.php file to something like wp-login.phpSaveForEmergencies
So now I have several layers of protection. If a hacker goes to mydomain.com/wp-login.php they get page not found. If they go to mydomain.com/wp-admin obviously they are redirected, but that might mean they will have to work harder as I have a weird name for my login/logout page. If they break in past Limit Login Attempts, they have to break in past Theme My Login page security. Not to mention I have installed Bullet Proof Pro so that adds a steal front door to begin with. You might also look at SpamTrawler too, it's not a WP plugin and it's installed in your server root directory, but it protects WP, Socialengine, Vbulletin, etc., anything on your site from spammers, but you can also block countries out too!
Every bit of protection helps and this plugin is just one layer, but the more layers you have, the better off you arre--and that's layers on your server and your WP installation, not just WP. Just my thoughts and I bought my products and am not employed by products mentioned here. Thanks!
Posted 3 months ago #
rolandogomez - While I appreciate your comments, nothing you've suggested/posted seems to apply to situation I am reporting in this topic..
The site that is the subject of this topic does indeed have Bullet Proof Security installed. There is no administrator account named "admin". Even if there was an "admin" account, BPS won't clear all of it's readiness checks unless and until you rename the "admin" account to something else.
I do not have the Limit Login Attempts plugin installed so that is NOT a factor either on this site.
I GET that this was a hack attempt.. what is UNCLEAR is why ALL the user accounts were locked out particularly when the log files indicated that they all did not attempt to login let alone exceed the number of attempted logins. My personal admin accounts on this site are OBSCURE so I doubt a hacker happened to guess it. Let alone guess EVERY SINGLE USER NAME then attempt to login using each user account..
So let me summarize what happened:
Since there doesn't seem to be a clear reason why this happened, I have had to remove Theme My Login from this site. I have installed a different plugin to instead enforce strong passwords for accounts on this site.. The one plugin that adds strong password enforcement looks like it will clash with Theme My Login (overlapping features).. So no more Theme My Login on this site.. I also added a login tracker plugin so I can SEE what's happening, and so far with the exception of a stray bot trying to login using "admin", there have been no more issues with mass lockouts on this site..
I need to note that this ONLY occurred on this site.. other sites where I have the same mix of plugins are not misbehaving..
Posted 3 months ago #
DivaVocals,
Thanks for the explanation. I'm no programmer or coder, I get by ;) Funny how this only happened to one site, obviously something is conflicting. I've been buttoning down the hatches with everything I know because there are tons of bots running around trying to login as "admin" and of the 11 sites I manage, they're constantly getting hit--so I set the login attempts to two tries, two times locked out for 1440 hours ;) It's working. It's a crazy hackers world out there and any layer of protection is better than none. So far all 11 sites are using Theme My Login perfectly. I wish you the best, rg.
Posted 3 months ago #
Deleting the plugin would not remove the locks, as they are saved in the DB. You would have to delete each of those meta values that you posted.
Also, the lock isn't cleared for a particular account until it is successfully logged in after the expiration time or manually cleared.
Posted 3 months ago #
Yes Jeff I understand.. but accounts that weren't supposed to be locked were indeed locked, and that is the issue I had.. Also the locks did not expire so everyone remained locked out (even the accounts that should not have been locked out..)
You must log in to post.
