WordPress.org

Forums

Limit Login Attempts
DoS with this plugin? (9 posts)

  1. wilcochris
    Member
    Posted 1 year ago #

    Is there a known issue with the 1.7.1 version of this plugin?

    I have been getting emails for the last 24-48 hours about an attempted login with the admin username.

    I got rid of the admin username when I set up my blog.

    I have this plugin installed on 2 of my blogs and both seem to be under a DoS style attack even with the plugin installed. I have received about 30 emails across both blogs and it is becoming increasingly frustrating.

    The plugin appears to not do what it should be doing.

    Anyone know of a fix that doesn't involve uninstalling the plugin?

    TIA,

    Chris

    https://wordpress.org/plugins/limit-login-attempts/

  2. Jessi
    Member
    Posted 1 year ago #

    We have the same problem. Login notification plugin installed along with this one.

    On 10+ sites we continually receive 100+ e-mails of failed login attempts from the same IP address, same username attempted. The plugin does not seem to be doing its job at locking out IP addresses after 4 (or however many) tries.

    If you found a solution, wilcochris, I would love to hear!

  3. wilcochris
    Member
    Posted 1 year ago #

    Hi,

    No solution, no word from the developer.

    My advice would be to ditch this and find something far superior. Even if I do get word from the dev I will never go back. Far too long a delay in responding.

    Hope you can find something better than this heap of junk.

  4. lovingboth
    Member
    Posted 1 year ago #

    It's not a problem with the plugin, it's an historical problem with WordPress.

    Until version 3.0, when installing a new site WordPress made 'admin' a compulsory first user, complete with administration powers.

    Then until 3.7, it strongly suggested that username for the first user.

    I think it still defaults to it if you don't supply a username.

    The result is that there are millions and millions of WordPress-based sites out there with an administration account called 'admin', so the vast majority of automated attempts to login use that user name.

    This is what you're seeing... It clearly works often enough that it's not worth them trying to work out what usernames are in use.

  5. Jessi
    Member
    Posted 1 year ago #

    FWIW Wilco - we actually were able to figure out why/how this is happening.

    Stumbled across the answer accidentally while trying to connect to one of my websites using the WordPress iPhone App. This plugin does not work for that type of remote connection - so the same IP address trying multiple times is not subject to the "Limit Login Attempts" IP Block.

    I'm not sure how to solve this issue - but there seems to be a bug in the plugin specifically related to remote posting. My guess is that these robots trying to brute force attack your site are using a similar script/application that is also bypassing the plugin's IP address blocking feature.

  6. Hellnik
    Member
    Posted 1 year ago #

    Alternatively, you can use the plugin Login LockDown
    =(

  7. Benny
    Member
    Posted 12 months ago #

    The problem is that this plugin does not protect from brute force attacks coming from a bot-network with thousands of unique IP's. It doesn't matter if they all get blocked. There are so many that they potentially still can perform a successful attack.

    This would of course explain the continues emails wilcochris and Jessi are getting.

  8. chltx
    Member
    Posted 11 months ago #

    Thanks for the information, Jessi! I'm wondering if I'm seeing something similar.

    About two weeks ago, all of my sites started getting massive brute force login attempts. I had my limit login attempts threshold set at 4, but I was getting as many as 12 on some attempts. The botnets actually took down one of my site via DDoS.

    Now, I have .htaccess for wp-admin and for the parent directory wp-login.php set to whitelist my IP. Initially, that cut off the massive brute-force onslaught, but after a few days, I started getting more notifications that my limit login threshold had been exceeded -- which I would not have thought possible (they were *not* coming from my whitelisted IP).

    At this point, it's not fatal. My "admin" has no access to the site, has a very large randomly-generated password, and uses Google authentication plus stealth login. I'm getting 2 or 3 of these a day, so it appears that the layers above limit login attempts are repelling most of the botnet attacks. Not likely that anybody is going to guess that password plus the Google authentication plus the extra authentication -- but there are many things about this stuff I don't understand, and the fact that somebody is crashing my .htaccess worries me.

  9. vyonte
    Member
    Posted 11 months ago #

    chltx. the problem is when you have no an fixed ip.

    The ideal is that the plugin detect geoip and show the country and the option of refuse country. I have a lot of force attacks, and I candetect firstly India and Pakistan. The problem is go one by one ip refusing it.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Limit Login Attempts
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.