@greyowl
Hmmm … sounds like 2 issues coinciding.
The “You have been locked out due to too many login attempts.” indicates a
(temp) user lockout.
Such lockouts are generally caused by brute force attacks.
So when I said 2 issues coinciding I was referring to changing\configuring SSL while a brute force attack (temp) locked out a user(s). So you may think the issue is caused by the SSL configuration but it could actually be the result of a brute force attack.
Simply disabling the iTSec plugin SSL for Dashboard setting instead of disabling the entire plugin would have been a simple method to test this theory.
Did you receive any lockout emails ? Or is that iTSec plugin feature disabled ? (Notification Email(email address specified), Send Digest Email(disabled) and Email Lockout Notifications(enabled) settings in the Global Settings section of the iTSec plugin Settings page).
You could also have a look at the lockout entries in the iTSec plugin Logs page.
dwinden
I re-activated the plugin and disabled ‘Force SSL for Dashboard’. Visitor access to the site failed with error ‘This webpage has a redirect loop ERR_TOO_MANY_REDIRECTS’.
I logged out as Admin and logged in again: No problem. The Log list showed many foreign login attempts blocked and an occasional host locked out but nothing showing the problem.
I then had to again deactivate the plugin to allow Visitor access.
@greyowl
Reactivate the iTSec plugin and change the Front End SSL Mode setting from (probably) Whole Site to Off. Save All Changes. Keep the iTSec plugin activated.
Now test Visitor access using url starting with http:// as well as https://
Does using url starting with http:// result in http:// or does it get auto redirected to https:// ?
Does using url starting with https:// result in https:// with page successfully displayed ?
Please note all the iTSec plugin SSL feature does is force use of https:// scheme on frontend and\or backend when detecting http:// scheme in the url. This way http:// forcefully becomes https://
Perhaps there is a conflict with another plugin.
Retest after deactivating all plugins except iTSec (if possible).
dwinden
This change helps. It was set to ‘per content’. Now URLs starting with http:// and https:// both get auto redirected to https://
Is it safe to leave it like this?
@greyowl
Ahh, ok great. Yes it’s perfectly safe to leave it like this.
Again the iTSec plugin SSL feature does nothing more than forcefully use SSL when detecting non SSL.
It seems there is already a mechanism in place which forces SSL use.
Might be worth finding out what else is responsible for forcing SSL use.
That way you can compare and possibly choose what force SSL mechanism you prefer.
(The iTSec plugin does offer the extra SSL feature Per Content for the frontend…).
It could be another plugin or it could be a Web Server config tweak.
Perhaps your hosting provider can assist in finding out.
Anyway I think we can wrap this topic up. If you agree please mark this topic as ‘resolved’.
dwinden
