Clients can’t log in

Resolved romain1233444
(@romain1233444)

3 years, 4 months ago

Hi there,

Hope you are well

Wordfence signals to us that many clients fail to log in to our site.

We are using Formidable forms, Active Campaign and Woocommerce and would like to know what could cause that.

Do you have any ideas?

Many thanks

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

Plugin Support wfpeter
(@wfpeter)

3 years, 4 months ago
Hi @romain1233444, thanks for your question.

We usually recommend that sites with a high number of users signing in such as online stores or membership sites don’t enable Even if you have Wordfence > All Options > Brute Force Protection > Immediately lock out invalid usernames as this can cause a rise in failed login notifications. It is entirely possible that more users result in more accidentally mistyped or incorrect credentials being entered by default.

Aside from that, it does look like you have a custom login form for your users that differs from the default WordPress page, so Login Security could be a factor. 2FA and reCAPTCHA could be unreliable or even not function correctly if they’re enabled on a custom form.

If neither of those seem to be the answer, keep an eye on your Live Traffic for blocks being triggered at times user logins fail. Some users could be getting caught by a rule, your Rate Limiting settings might be too strict, or a high number of requests for assets on that particular page such as images/CSS/Javascript might be building up.

I generally set my Rate Limiting Rules to these values to start with:
Rate Limiting Screenshot
- If anyone’s requests exceed – 240 per minute
- If a crawler’s page views exceed – 120 per minute
- If a crawler’s pages not found (404s) exceed – 60 per minute
- If a human’s page views exceed – 120 per minute
- If a human’s pages not found (404s) exceed – 60 per minute
- How long is an IP address blocked when it breaks a rule – 30 minutes
I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.

Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.

Here is a video guide to Rate Limiting as well:
Rate Limiting Guide

Let me know how you get on!
Peter.

Viewing 1 replies (of 1 total)

The topic ‘Clients can’t log in’ is closed to new replies.

Tags