Support » Plugin: All In One WP Security & Firewall » Enable Login Lockdown Feature Is Not Working

Viewing 15 replies - 1 through 15 (of 22 total)
  • Hi,

    Same problem here, and I have a multisite. Is it also the case for you?

    Hey scpsc,

    I am only operating one site.

    I looked at mysql database and AIOWPS creates six wordpress tables. There’s a specific table for login lockdowns, titled Table wp_aiowps_login_lockdown in database wordpress.
    When I actually click on view data I see no data.

    On the contrary, when I click on a different table titled Table wp_aiowps_failed_logins in database wordpress and click view data, I can see a track record of all the failed attempts with the user_login, failed_login_date, and login_attempt_id.

    My two cents: I think there might be a bug in AIOWPS that’s not setting, for example, option_values = ‘ ‘ WHERE option_name = ‘limit_login_lockouts’ LIMIT 1; Note, 1 is the number of login attempts allowed before you get locked. I used http://www.wpbeginner.com/wp-tutorials/how-to-unblock-limit-login-attempts-in-wordpress/ to validate my unconfirmed logic.

    I also read somewhere, there should be a login lock out folder/file created in your plugins folder after this feature is enabled and tested. I have no such folder or file.

    From what I read in the first 70 pages of this forum is you might need to go through all the other steps in securing a firewall, completely blocking access to XMLRPC OR
    disabling pingback functionality from XMLRPC, etc. There is a perfect tutorial video that might be helpful in configuring AIOWPS from start to finish completely. Here it is: https://www.youtube.com/watch?v=aQYlvTMqcSM

    You may also try clearing your browser cache AND WordPress cache by installing a cache plugin like W3 Total Cache (though, doesn’t support latest 4.9 WP version).

    Lastly, I am not sure if this makes a difference, but I have the .htaccess and index.php files in my root directory (public_html) and also in my wordpress subdirectory folder. I had to include these two files in my root because I modified my site url address to remove the /wordpress subdomain. For example, instead of having to type http://www.example.com/wordpress to get to my website, you only now have to type http://www.example.com.

    The .htaccess in my wordpress subdirectory folder gets automatically created by AIOWPS when you enable the basic firewall or when you check the “Completely Block Access To XMLRPC” feature. My index.php file in the wordpress subdirectory folder is just the original or a backup of the one in my root folder which probably doesn’t bear any relevance to my issue.

    I am gonna try watching that YouTube tutorial and video and complete the configuration to see if that fixes the issue.

    Good luck and let me know if you find any startling news or fix the issue. I will report the same.

    Joe

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @rebornhairppp, I just carried out a test. I set up the settings as per your set up above and it worked for me. I was locked out after two attempts.

    I also had the following feature Instantly Lockout Invalid Usernames: enabled.

    Do you have Login Whitelist enabled my any chance? Can you check your log files, both the plugin and server logs.

    Do you have a cache plugin installed in your site?

    Thank you

    • This reply was modified 1 year, 7 months ago by  mbrsolution.

    Hey mbrsolution,

    Thank you for getting back to me so soon. I know you have thousands of requests you need to reply to, so it means a ton taking the time to respond to my inquiries. I very much appreciate your consciousness and generous heart!

    Seems very peculiar to hear it’s working for you. I am running on a fresh install of WP 4.9 and Apache 2.4.18. I just created my WP site a couple of days ago so I don’t have much content or pages.

    I actually tried uninstalling and then reinstalling the plugin to see if that would change the scenario – NO lUCK!

    I don’t have whitelist enabled. I tried enabling the instantly lockout invalid usernames but still no success.

    I have installed a cache plugin but it reads no cache. I even tried to clear my browser’s cache but that still didn’t help.

    I have nothing reported in my log files. No error messages, failed attempts, or any other hiccups popping up in those log files.

    Please see my current set up below to help with your analysis:
    1. Remove WP Generator Meta Info: – Enabled
    2. Enable Login Lockdown Feature: – Enabled
    3. Allow Unlock Requests – Disabled
    4. Max Login Attempts – 3
    5. Login Retry Time Period (min) – 5 min (I recently changed this)
    6. Time Length of Lockout (min) – 15 min (I recently changed this)
    7. Display Generic Error Message – Enabled
    8. Instantly Lockout Invalid Usernames – Enabled (just enabled it per your recommendation)
    9. Enable Login Lockdown IP Whitelist – Disabled
    10. Enable Force WP User Logout – Enabled
    11. Logout the WP User After XX Minutes – 60
    12. Enable manual approval of new registrations –Enabled
    13. Enable Captcha On Registration Page – Enabled
    14. Enable Honeypot On Registration Page – Enabled
    15. DB Prefix and DB Backup – Disabled (didn’t change the DB table prefix)
    16. File Permissions Scan Results – Green (ok)
    17. Disable Ability To Edit PHP Files – Enabled
    18. Prevent Access to WP Default Install Files – Enabled
    19. Enable IP or User Agent Blacklisting – Disabled (didn’t elect in IP or user agent bans)
    20. Enable Basic Firewall Protection – Enabled
    21. Completely Block Access To XMLRPC – Disabled
    22. Disable Pingback Functionality From XMLRPC – Enabled
    23. Block Access to debug.log File – Enabled
    24. Disable Index Views – Enabled
    25. Disable Trace and Track – Enabled
    26. Forbid Proxy Comment Posting – Enabled
    27. Deny Bad Query Strings – Enabled
    28. Enable Advanced Character String Filter – Enabled
    29. Enable 6G Firewall Protection – Enabled
    30. Enable legacy 5G Firewall Protection – Disabled
    31. Block Fake Googlebots: Enabled
    32. Prevent Image Hotlinking – Enabled
    33. Enable 404 IP Detection and Lockout – Enabled
    34. Time Length of 404 Lockout (min) – 5
    35. 404 Lockout Redirect URL – http://127.0.0.1
    36. Enable Rename Login Page Feature – Disabled
    37. Enable Brute Force Attack Prevention (cookie) – Enabled
    38. Secret Word: testlogin11
    39. Enable Captcha On Login Page – Enabled
    40. Enable Captcha On Custom Login Form – Disabled
    41. Enable Captcha On Woocommerce Login Form – Disabled
    42. Enable Captcha On Woocommerce Registration Form – Disabled
    43. Enable Captcha On Lost Password Page – Disabled
    44. Enable IP Whitelisting – Disabled
    45. Enable Honeypot On Login Page – Disabled
    46. Enable Captcha On Comment Forms – Enabled
    47. Block Spambots From Posting Comments – Enabled
    48. Minimum number of SPAM comments – 1
    49. Minimum number of SPAM comments per IP – 1
    50. Enable Automated File Change Detection Scan – Disabled
    51. Enable Front-end Lockout – Disabled
    52. Enable iFrame Protection – Enabled
    53. Disable Users Enumeration – Enabled

    Again, the weird thing is I can see my failed login records but not my locked out IP address in my WP Security Dashboard.

    Please help with the troubleshooting as I have spent nearly 36 hours trying to find a solution.

    Thank you very much!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, just one question. Is this feature working for you, but you can’t see your IP address in the Dashboard? Is this correct? The reason why I am asking is because of the following comment.

    Again, the weird thing is I can see my failed login records but not my locked out IP address in my WP Security Dashboard.

    • This reply was modified 1 year, 7 months ago by  mbrsolution.

    Hey mbrsolution,

    To clarify, this feature is still NOT working for me.

    What I meant by my previous comment is this feature is recording my failed login attempts but NOT locking me out after 3 failed attempts. I can still enter as many different username and password combinations even after 3 failed attempts.

    Why would AIOWPS record my failed login attempts but NOT temporarily lock me out after 3 unsuccessful tries.

    CAPTCHA seems to be working just fine as well as pretty much all the other features.

    Thank you again for your relentless efforts. I apologize for the confusion and any other inconvenience!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    You are most welcome. Unfortunately I have run out of ideas. I have submitted a message to the plugin developers to investigate further your issue. Sorry about this.

    Kind regards

    Plugin Author wpsolutions

    (@wpsolutions)

    Have you tried doing a plugin/theme conflict test? – ie, deactivate all other plugins except aiowps to see if the feature works?

    I can still enter as many different username and password combinations even after 3 failed attempts

    When you performed your test are the recorded IP addresses in the failed login table IPv4 or IPv6?

    My two cents: I think there might be a bug in AIOWPS that’s not setting, for example, option_values = ‘ ‘ WHERE option_name = ‘limit_login_lockouts’ LIMIT 1; Note, 1 is the number of login attempts allowed before you get locked

    I think you might be confusing the above reference with another plugin because there is no parameter called “limit_login_lockouts” in the aiowps plugin.

    I also read somewhere, there should be a login lock out folder/file created in your plugins folder after this feature is enabled and tested. I have no such folder or file.

    Once again what you are describing is not the behaviour of this plugin – you may be confusing it with some other plugin you are using.

    Hey wpsolutions,

    I just tried deactivating all my other plugins. Still no success.

    My IPv6 address is the one actually being recorded in the failed login table. I don’t know why it’s configured like that.

    @mbrsolution – thanks for trying again and submitting my request to the developers.

    Thank you very much wpsolutions for reaching out!

    I am so irritated by this small hiccup as I know I will probably have to tweak something up on my end!

    • This reply was modified 1 year, 7 months ago by  rebornhairppp.
    Plugin Author wpsolutions

    (@wpsolutions)

    You’ve just found the cause. IPv6 addresses are currently not supported for this feature.
    I will see what i can do regarding adding support for ipv6 in lockout feature.

    Plugin Author wpsolutions

    (@wpsolutions)

    I forgot to add you will need to check whether your server is meant to be behaving this way with respect to showing IPv6 addresses.
    Is your IP address from your computer browser showing as IPv6?

    Hi wpsolutions,

    THANK YOU THANK YOU THANK YOU SO MUCH FOR investigating the culprit. This means a ton. I wasn’t expecting the above and beyond service. You truly exceeded my expectations. 🙂

    I sincerely apologize for taking so much of your valuable time by not disclosing this critical piece of information ahead of time.

    My IP address from my computer browser is my public IP address from my ISP. My server’s IPv6 address is different. Plus, my server is configured to primarily run IPv4 address.

    By any chance, do you know if any other feature is disabled because of IPv6? I tried running a malware scan using Sucuri’s free website and nothing came back negative except the firewall. Sucuri wasn’t able to detect a firewall on my website, so I am thinking my IPv6 address is probably muting this AIOWPS feature?

    If you can kindly let me know whether there are other potential but minor issues as a result of having an IPv6 address and when you plan on supporting IPv6 that would be kindly appreciated!

    I might also look into purchasing the feature for blocking international access. I hope that doesn’t conflict with IPv6.

    Thank you again for your stellar and generous support. Going out of your way to consider supporting IPv6 address is an act worth blessing you for from the Almighty!

    Plugin Author wpsolutions

    (@wpsolutions)

    My IP address from my computer browser is my public IP address from my ISP. My server’s IPv6 address is different. Plus, my server is configured to primarily run IPv4 address.

    Yes that’s right which is why I asked about your IP address because this is the address that your server will process and do the various checks in order to make a decision whether to block it or not based on your aiowps configuration.
    So if your actual “visitor” address is IPv4 but your server is seeing it as IPv6 you need to check with your host support people to see what is going on.

    Hi wpsolutions,

    My server is hosted by Linode and ISP is Spectrum. Do I need to check with Linode or Spectrum?

    Thanks!

    Hi wpsolutions,

    I just checked with Linode and they said everything is configured correctly. I think the issue is stemming from my ISP. I just noticed, my login failed attempts log shows different IPv6 addresses. It looks like IPv6 is not static which would explain why the lockout feature wasn’t working correctly. How can it if different IPv6 addresses are being read from my browser?

    I don’t know how this happened and will call Spectrum for more details.

    Will keep you posted!

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Enable Login Lockdown Feature Is Not Working’ is closed to new replies.