I would like to exempt 3 or 4 IP addresses from the Login Lockdown protections. I have some users at fixed IPs that sometimes forget their password. I don’t want to ever lockout the users at those IPs; though I do want to lockout other IPs that have users that try incorrect passwords.
Is there a way to do that now?
Hello debenedictis, try the following
WP Security >> User Login >> Login Whitelist and select Enabling IP Whitelisting. This will display your current IP, if you wish you include it as well. Further down you can add all the IP address and or IP address range to the Enter Whitelisted IP Addresses box.
If you need any more help let us know.
Currently the lockout feature does not exempt certain IP addresses from being locked out.
The white list feature will only control who can get access to the login/wp-admin pages but those users can still get locked out if they get user/pass wrong.
We will look into what you have suggested and see if we can implement something in a future update.
If you do update the plugin to support a lockdown whitelist please update this ticket.
Adding this feature would be great as I have the same problem. People keep using a cappital letter when it should be lowercase or the reverse then they get locked out.
I made a similar request about a month ago; http://wordpress.org/support/topic/whitelist-valid-users?replies=2
Rather than suggest a solution I’d just like to reiterate the problem and let the developer decide the best way to solve the need.
How do we stop legitimate users, who are in some cases paying customers, from being locked out for doing something silly like misspelling their username?
It would be nice to either whitelist known users OR select usernames to autoblock rather than autoblocking all unknown usernames.
In order for the lockout feature to actually lock somebody out they have to get their username (or password) wrong multiple times.
If someone is consistently getting their login details wrong, then in normal security practice this should sound alarm bells because you are most likely dealing with someone who is illegitimately trying to log in.
All of your suggestions are fine but they also open up more security holes because we would be making exceptions for people who can’t remember their own account details.
Having said that, we still want to think about this more carefully to see if there are ways to cater for what you are all asking for but with the least security compromises.
(Don’t forget, that the administrator can easily unlock any user by clicking the “unlock” link in the table which lists locked out users in the lockout settings page)
“we would be making exceptions for people who can’t remember their own account details”
Exactly… how do we make exceptions for people who can’t remember their own account details? I know it sounds crazy and unbelievable but, it is happening. I have 50 or so user accounts and legitimate users get locked out 2-3 times per month. If things go well I expect to have 100 or so members in the next few months which means I will be dealing with angry users 4-6 times per month.
Rather than “Instantly Lockout Invalid Usernames:” it might be nice to create a manual list of usernames to instantly lockout.
After having a think about this, we feel we might have a couple of ideas in mind which should solve the issue of legitimate users locking themselves out.
We may introduce something in the next release or the one after (depending on how busy we are)
Will keep you guys posted.
If this is your solution, it is brilliant; “Check this if you want to allow users to generate an automated unlock request link which will unlock their account”
Can you tell us exactly how this feature works? I assume any locked out user can enter their email and receive a link to unlock their ip? Its safe to assume spammers and automated bots will not do this.
Uh oh, I just tried this out and it seems as though you need to know your username… half of my lockouts are caused by people entering a wrong username. usually off by one letter — probably a mistype.
I still can’t believe people cannot remember their own user names!
Ok we will modify the feature so that the locked out user will only have to enter email address when they submit an unlock request.
The problem is, people use all kinds of different usernames across the web. My site offers a blog and a forum, I have users who use different names to login to both. I don’t understand it but the usability feedback/research doesn’t lie. End users are not like us.
I am not finding
WP Security >> User Login >> Login Whitelist
or any other options for creating a whitelist. I have v3.7.7
Does this option still exist?
- The topic ‘Feature Request: Login Lockdown Whitelist’ is closed to new replies.