Support » Plugin: All In One WP Security & Firewall » Continuous “Site Lockout Notifications”

  • Resolved staceyzav

    (@staceyzav)


    First – thanks for a great plugin! I use it on many sites and it is really great.

    I have one site that seems to be getting hit hard with “brute force”. I have a ton of features enabled:

    – rename login page
    – login captcha
    – login lockdown feature (no unlock requests, 60000000000000 seconds before they can retry)
    – instantly lockout login attempts with usernames which do not exist on your system

    Even with these settings, I get about 40 emails a day with SITE LOCKOUT NOTIFICATION – each one is a username that does not exist and they should be instantly locked out according to these settings. However, when I visit the Locked IP Address page, I don’t see any locked out IPs at any time. Am I misunderstanding the settings I’ve enabled?

    Also, I have purchased an add-on “country blocker” but it ended up locking out my client (who was not in a country that was locked out).

    Let me know if anyone can help troubleshoot! Happy to upgrade for support, please direct me where to go if so. Thanks so much.

Viewing 13 replies - 1 through 13 (of 13 total)
  • Plugin Author wpsolutions

    (@wpsolutions)

    Hi,

    when I visit the Locked IP Address page, I don’t see any locked out IPs at any time

    What is the value of the following field in your lockout settings page?
    Time Length of Lockout

    Also even though you may have hidden your login page, the bad bots quite often target the xmlrpc.php file. If you’re not using xmlrpc functionality you can disable it via the firewall rules if you’re on an apache-type web server.

    staceyzav

    (@staceyzav)

    Thanks for your reply!

    Ultimately, I just want them to be locked out forever. We only have 3 admins, so if an authorized user accidently gets locked out, I can go in and add them back.

    My current setting is this:
    Time Length of Lockout: 60000000000000

    It’s weird, b/c I get the email that the user was locked out, but when I go into the plugin it doesn’t show any blocked out users.

    THIS:
    If you’re not using xmlrpc functionality you can disable it via the firewall rules if you’re on an apache-type web server.
    (FYI – the site is hosted on WPEngine.com – if that helps, I don’t know exactly what this means, but I see this page on the plugin, just not sure what you mean or what I should do)

    Plugin Author wpsolutions

    (@wpsolutions)

    It’s weird, b/c I get the email that the user was locked out, but when I go into the plugin it doesn’t show any blocked out users.

    Have you checked this plugin’s log file?
    Firstly make sure debug is enabled – go to:
    WP Security >> Settings
    Make the “Enable Debug” checkbox is ticked.

    Then wait for another lockout notification and check the following:
    Go to:
    WP Security >> Dashboard >> AIOWPS Logs

    Select the “wp-security-log” option and views the logs. Let me know if you see any logs which shows errors related to this problem or which may say something like “Error inserting record into”

    Have you checked your server error log files? (if you don’t know how to locate the server error logs ask your host provider to help you)

    staceyzav

    (@staceyzav)

    Thanks for the info!

    I went ahead and enabled the debug logs and this is what I see – so it looks like they are getting locked out after all? I still get about 50 attempts / lockouts a day. Are they masking their IP? Any suggestions on how to lock the out for good?

    [05/29/2019 5:32 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 103.6.245
    [05/29/2019 6:03 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 67.225.141
    [05/29/2019 6:15 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 182.50.135
    [05/29/2019 6:42 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 108.179.192
    [05/29/2019 6:56 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 80.88.87
    [05/29/2019 7:15 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 89.252.184
    [05/29/2019 7:53 PM] – NOTICE : The following IP address range has been locked out for exceeding the maximum login attempts: 50.62.208

    Andrew

    (@omegaphase)

    Hi Stacy,

    This has been my experience, too. I don’t want to be notified about usernames that don’t exist. What’s the point? Simply save it in a LOG file so I can review from time to time if need be. I really only need to be notified about attempts on KNOWN usernames so I can take appropriate action.

    My workaround was to modify the plugin’s software since it doesn’t have any hooks in the function. Hopefully the DEVs will see the logic behind not sending unnecessary lockdown notifications and update their software.

    I added the following code to the send_ip_lock_notification_email function in /all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php:

    
    /* Begin username check */
    $user_names = wp_list_pluck( get_users(), 'user_login' );
    if(!in_array($username, $user_names)) return;
    /* End username check */
    
    staceyzav

    (@staceyzav)

    Thanks for your reply! Actually, on the login lockdown page, there is a item to check if you want email notifications or not. Have you tried that? Are you blocking them out some other way?

    My question was more on the fact that it doesn’t seem to be locking them out. I get about 50 attempts per day on one site and the attempts are all variations of users in the database. So, my concern is more about how do I lock this bot out for good?

    When I look in the dashboard, I have 1,913 failed login records, all with different IP records and ranges, but it’s obvious they are coming from the same bot and I don’t see any of these IPs on the blocked list.

    Andrew

    (@omegaphase)

    Yes as stated, it’s been my experience, too. Apologies for the tangential reply, but getting notified for unknown user login attempts makes no sense in light of the fact that nobody ever gets locked out. Slightly off-topic but not entirely 😉

    staceyzav

    (@staceyzav)

    No worries!

    @wpsolutions – Since I don’t see any of the IPs being locked out, I exported the CSV and entered the list of IPs and ranges manually. I made sure that my client wasn’t on that list and added my client and myself to the whitelist (since we are the only ones with logins).

    Unfortunately, that ended up locking out my client from not only the backend but the front end as well. I searched my list to make sure he wasn’t on it again, but the only thing that fixed was to remove the blacklist entirely. Any idea why he’d get locked out? I had him double check his IP and it was not on the blackout list…

    Let me know if you have any suggestions…

    Plugin Author wpsolutions

    (@wpsolutions)

    Hi @staceyzav,

    added my client and myself to the whitelist

    Which “white list” are you referring to?
    For instance:
    1) There is the white list which will prevent lockouts which is found in the “Login Lockdown IP Whitelist Settings” section
    This setting will give lockout immunity to any IPs entered in this whitelist (NOTE: only applicable when the login lockdown feature is enabled)

    2) and there is also the “Login Whitelist” found in the Brute Force >> Login Whitelist section.
    This one will prevent all IPs except those in this whitelist from accessing the login page.

    I think I might know what is the cause of your problem.

    You said earlier that:

    My current setting is this:
    Time Length of Lockout: 60000000000000

    I think the size of your value is causing the issue.
    Can you please set it to something smaller like 999999

    I think your lockout problems will disappear.
    In the meantime I will add some checks on that settings page to prevent such an issue.

    Some background on why this is happening:
    You are likely on a 32bit system and the lockout feature uses the strtotime() PHP function to calculate the future date up to which the IP address will be locked out.
    The PHP manual says for the strtotime function:

    The valid range of a timestamp is typically from Fri, 13 Dec 1901 20:45:54 UTC to Tue, 19 Jan 2038 03:14:07 UTC. (These are the dates that correspond to the minimum and maximum values for a 32-bit signed integer.)
    ……
    For 64-bit versions of PHP, the valid range of a timestamp is effectively infinite, as 64 bits can represent approximately 293 billion years in either direction.

    So the number of minutes you entered is exceeding the maximum date in the future because your value equates to millions of years ahead in time which surpasses the maximum date of 19 Jan 2038.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @staceyzav, is your issue resolved?

    Regards

    Sorry for the delay, I was traveling last week.

    YES, YES!! It looks like it’s working as expected now. Thank you so much!!!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    That is great to know 😉

    I am marking this thread as resolved.

    Enjoy the plugin.

    Plugin Author wpsolutions

    (@wpsolutions)

    Just a quick note:
    I have also updated the code and used an alternative to the strtotime function so this will not happen again and you will be able to enter much larger values.
    This update will appear in the next release.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Continuous “Site Lockout Notifications”’ is closed to new replies.