WordPress.org

Forums

All In One WP Security & Firewall
[resolved] Feature Request: Login Lockdown Whitelist (19 posts)

  1. debenedictis
    Member
    Posted 1 year ago #

    Hi,
    I would like to exempt 3 or 4 IP addresses from the Login Lockdown protections. I have some users at fixed IPs that sometimes forget their password. I don't want to ever lockout the users at those IPs; though I do want to lockout other IPs that have users that try incorrect passwords.

    Is there a way to do that now?

    Robert

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  2. mbrsolution
    Member
    Plugin Contributor

    Posted 1 year ago #

    Hello debenedictis, try the following

    WP Security >> User Login >> Login Whitelist and select Enabling IP Whitelisting. This will display your current IP, if you wish you include it as well. Further down you can add all the IP address and or IP address range to the Enter Whitelisted IP Addresses box.

    If you need any more help let us know.

    Kind regards

  3. wpsolutions
    Member
    Plugin Author

    Posted 1 year ago #

    @debenedictis,
    Currently the lockout feature does not exempt certain IP addresses from being locked out.
    The white list feature will only control who can get access to the login/wp-admin pages but those users can still get locked out if they get user/pass wrong.

    We will look into what you have suggested and see if we can implement something in a future update.

  4. debenedictis
    Member
    Posted 1 year ago #

    @wpsolutions

    Thank you.

    If you do update the plugin to support a lockdown whitelist please update this ticket.

  5. sdesigns
    Member
    Posted 1 year ago #

    Adding this feature would be great as I have the same problem. People keep using a cappital letter when it should be lowercase or the reverse then they get locked out.

  6. thinkwired
    Member
    Posted 1 year ago #

    I made a similar request about a month ago; http://wordpress.org/support/topic/whitelist-valid-users?replies=2

    Rather than suggest a solution I'd just like to reiterate the problem and let the developer decide the best way to solve the need.

    How do we stop legitimate users, who are in some cases paying customers, from being locked out for doing something silly like misspelling their username?

    It would be nice to either whitelist known users OR select usernames to autoblock rather than autoblocking all unknown usernames.

    Best!

  7. wpsolutions
    Member
    Plugin Author

    Posted 1 year ago #

    Hi guys,
    In order for the lockout feature to actually lock somebody out they have to get their username (or password) wrong multiple times.

    If someone is consistently getting their login details wrong, then in normal security practice this should sound alarm bells because you are most likely dealing with someone who is illegitimately trying to log in.

    All of your suggestions are fine but they also open up more security holes because we would be making exceptions for people who can't remember their own account details.

    Having said that, we still want to think about this more carefully to see if there are ways to cater for what you are all asking for but with the least security compromises.

    (Don't forget, that the administrator can easily unlock any user by clicking the "unlock" link in the table which lists locked out users in the lockout settings page)

  8. thinkwired
    Member
    Posted 1 year ago #

    "we would be making exceptions for people who can't remember their own account details"

    Exactly... how do we make exceptions for people who can't remember their own account details? I know it sounds crazy and unbelievable but, it is happening. I have 50 or so user accounts and legitimate users get locked out 2-3 times per month. If things go well I expect to have 100 or so members in the next few months which means I will be dealing with angry users 4-6 times per month.

    Rather than "Instantly Lockout Invalid Usernames:" it might be nice to create a manual list of usernames to instantly lockout.

  9. wpsolutions
    Member
    Plugin Author

    Posted 1 year ago #

    After having a think about this, we feel we might have a couple of ideas in mind which should solve the issue of legitimate users locking themselves out.

    We may introduce something in the next release or the one after (depending on how busy we are)
    Will keep you guys posted.

  10. thinkwired
    Member
    Posted 1 year ago #

    If this is your solution, it is brilliant; "Check this if you want to allow users to generate an automated unlock request link which will unlock their account"

    Can you tell us exactly how this feature works? I assume any locked out user can enter their email and receive a link to unlock their ip? Its safe to assume spammers and automated bots will not do this.

  11. thinkwired
    Member
    Posted 1 year ago #

    Uh oh, I just tried this out and it seems as though you need to know your username... half of my lockouts are caused by people entering a wrong username. usually off by one letter -- probably a mistype.

  12. wpsolutions
    Member
    Plugin Author

    Posted 1 year ago #

    I still can't believe people cannot remember their own user names!

    Ok we will modify the feature so that the locked out user will only have to enter email address when they submit an unlock request.

  13. thinkwired
    Member
    Posted 1 year ago #

    The problem is, people use all kinds of different usernames across the web. My site offers a blog and a forum, I have users who use different names to login to both. I don't understand it but the usability feedback/research doesn't lie. End users are not like us.

  14. truptig
    Member
    Posted 1 year ago #

    Hi

    I would like to exempt few users with fixed IP too.

  15. TambelaLen
    Member
    Posted 10 months ago #

    I am not finding

    WP Security >> User Login >> Login Whitelist

    or any other options for creating a whitelist. I have v3.7.7

    Does this option still exist?

  16. wpsolutions
    Member
    Plugin Author

    Posted 10 months ago #

    We moved that to the "Brute Force" menu.

  17. brookseh
    Member
    Posted 7 months ago #

    Hi there,

    I enabled the whitelist feature to my site and copy and pasted my IP address that was provided into the box below. However, when i logged out and tried to log back into my site, it did not take me to my login site.

    Is there a way to remove the IP address via FTP so that I can get back to my login, if you can tell me where to go via FTP in the All in One plugins folder, i would greatly appreciate it :)

    Thanks!

  18. Summer
    Member
    Posted 7 months ago #

    --brookseh--
    I go into my database and delete my IP in the locked out IP's when my husband manages to lock us out, which is every couple of days because he clicks or enters before completing the captcha, or does not know the difference of an underscore and a dash! He can be very trying!

    I do not use the white list feature because many of my registered members (including myself) log in from several different IP's frequently when using our private pages for remote group presentations or such. I think this feature would be most useful for a private or closed site.

    --thinkwired--
    The unlock code is set up to go to the email address that a user has already registered so someone trying to get access that way would not get a code or details unless they are already registered. If an email address is not already registered they don't get an unlock code sent to an unregistered email address.

    As far as not remembering your username, I use a local credentials program that stores all my login/user details for each site (about 200 a day, give or take a dozen) which I can easily access prior to logging in eliminating any lost/forgot credentials issues. Even places that I only login annually, I rarely get locked out.

    Summer

  19. cihat74
    Member
    Posted 7 months ago #

    Thank you very much for this quite useful-still free plugin.

    I managed to whitelist some IPs by that post.

    But can it be also possible to show the others a custom message? Or better, can we redirect them to a page to show that they are not allowed?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.