Support » Plugin: BruteProtect » How many attempts?

  • Resolved David Anderson



    I love the idea and have used this on a few sites.

    I have a site that is mainly for users from a single institution. The whole institution is (probably) behind a single IP address. So, a few failed logins from different users could quickly look like a cracker at work, and lock everyone out – not just out of this site, but out of all Brute-Protected site. Or perhaps not – it’s hard to say… the question is: what are the limits? And secondly… can they be made configurable? (e.g. “Don’t report the IP to BruteProtect central unless it has X failures within Y minutes” – depending on how BP actually works under the hood).


Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Sam Hotchkiss


    Hi David–

    First off, thanks for your feedback! We’ve been hard at work on a number of major updates to the plugin, one of which will directly address this concern, and we can’t wait to unveil them.

    In the mean time– it’s 10 failed logins before a lockout occurs. You are correct in saying that this will lock out the user across BP-protected sites

    As an interim fix, you can make the following change:

    To whitelist your IP on your site, change line 37 of bruteprotect.php from:

    add_action('login_head', 'brute_check_loginability');


    if($_SERVER['REMOTE_ADDR'] != '') { add_action('login_head', 'brute_check_loginability'); }

    (replacing with your IP)

    Hope this helps!

    Hi guys,

    is it possibile setting the value of failed logins before a lockout occurs (on the admin plugin console or directly into the PHP code)?

    Thank you

    Plugin Author Sam Hotchkiss


    No– the number of failed logins is controlled by our API, it’s more than just X logins then a block– we use the data from the 10m+ failed logins we have logged to help determine if someone is a real threat, and we’ll keep refining this algorithm as we move forward.

    Can you give any indication about the timespan you use for this count? (10 attempts a year or 10 attempts an hour make quite the difference.) And perhaps for the length of the lockout period?

    I’d like to be able to tell my clients (more or less) exactly what plugins do.

    Plugin Author Sam Hotchkiss


    Hi Daan–

    At the moment, the algorithm is:
    8 failed attempts in 8 hours = 8 hour block
    15 failed attempts in 24 hours = 48 hour block
    25 failed attempts in 7 days = 14 day block
    40 failed attempts in 1 month = 2 month block
    65 failed attempts in 1 year = 2 year block

    We’re working on making this “smarter”– more details to come

    Blocking anything for 2 years is probably unhelpful… IP addresses can get recycled quite a lot, particularly if they’re on VPS services. It’d be hugely annoying to buy a VPS to install a VPN server on, then find that you can’t log in to lots of WP sites because of a 2-year ban.

    Ah, getting a 2 year block takes serious effort:
    First you get a 8h block (8 failed
    Then you get a 2d block (15 failed =2d,8h)
    Then you get a 8h block (23 failed =2d,16h)
    Then you get a 14d block (25 failed =18d,16h)
    Then you get a 8h block (33 failed =19d)
    Then you get a 2m block (40 failed =2m,21d)
    Then you get a 8h block (48 failed =2m,21d,8h)
    Then you get a 2d block (55 failed =2m,23d,8h)
    Then you get a 8h block (63 failed =2m,21d,16h)
    Then, after 2 months, 21 days and 16 hours of continuous hammering from the same IP, you get a 2 year block (which effectively resets everything).

    It’s pretty hard to get to the point where you’ll be blocked for 2 years, but nonetheless there should be a ‘Unblock me’ feature somewhere. 25 failed attempts is not unthinkable, but being unable to login for two weeks is.

    I would also suggest to start with some smaller steps. 8 failed attempts is not much, but blocks you for a nasty period. Perhaps start with 15m, then an hour, then rapidly build up to longer periods for the real bots.

    A bit like this:
    5 failed attempts in 15mins = 15 min block
    10 failed attempts in 30mins = 1 hour block
    15 failed attempts in 90mins = 1 day block

    It also seems important to give some feedback like ‘3 attempts left’.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘How many attempts?’ is closed to new replies.