Support » Plugin: All In One WP Security & Firewall » Locking numerous login attempts display the secret login page name

  • Hello,

    When a user try to log many times and exceed the number allowed, the user get blocked.
    From there, the url in the page display the secret login page name…

    Is it a bug? or an issue?

    Maybe should be corrected ?
    Best Regards

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Author wpsolutions

    (@wpsolutions)

    When a user try to log many times and exceed the number allowed, the user get blocked.
    From there, the url in the page display the secret login page name

    Can you please provide more details regarding the scenario you are referring to?
    Is the user who is trying log in a legitimate user? If so, then they already should know your hidden login page.

    not at all, my user do not know my login page as I use a plugin Profile Builder for that.

    The secret page is only accessible to admin users.

    For all others users, they access a page named “connexion”

    Yes the user who is trying to attempt many logs is a known user but with false password.

    So the secret page is displayed…

    Cheers

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, @jtm12 and @apblog. Do any of you have one of the following features enabled in the settings? They are located under WP Security -> Firewall -> Basic Firewall Rules settings.

    Completely Block Access To XMLRPC:
    Disable Pingback Functionality From XMLRPC:

    Regards

    No.

    I found your plugin as a solution to brute force attacks, and that’s the only part of the plugin I’m using, though I keep telling myself to go through the rest of the plugin and learn all its features. I do not have either of the features you mentioned enabled.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi @jtm12, can you enable one of the features I mentioned above.

    Many times hackers try to get in via the xmlrpc.php file in WordPress sites. Give this a try and report back if the attempts to your site have stopped or have been reduced.

    Thank you

    Will do.

    I used the first option (completely block access To XMLRPC) and that stopped the attacks, as far as I can tell. I have received no new notifications of an attacker being locked out.

    Thank you.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi @jtm12, thank you for reporting back. I am glad to hear that so far enabling the feature I mentioned above is helping you. Please keep monitoring this and report back any changes to your site in the future.

    Enjoy the plugin.

    Kind regards

    @mbrsolution @wpsolutions

    Do you have a solution for my request I sent you here?
    Because you know that on a wordpress website, yu have admin users that can access you rsecret login page and others users that cannot access your secret login page but another login page.

    So if a basic user is locked it is not a good idea to redirect it to the secret login page !! seems logical?

    Please let me know if you consider my request is good?
    Cheers

    Plugin Author wpsolutions

    (@wpsolutions)

    Hi @seb06,
    Your setup is non-standard in the sense that you are using a plugin to create special login access which differs somewhat from the standard WordPress login.

    The aiowps plugin tries to cover the security of the standard WordPress setup and in some cases it also accounts for very popular plugins such as Woocommerce which are widely used.
    To cover every scenario based on different plugins would be impossible.
    However, if you want me to do a custom development job for you, you can reach me via my contact page (see my profile) and we can work something out.

    Yes I understand, but this need to have a custom login page is common to many websites and I do not think there are so many custom others needs…

    You should consider also that the use of woocommerce with wordpress that allows others users that are non admin users to access a website.

    So considering using woocommerce give non sense to the secret login page !!
    Why using a secret login page if all the users (customers) have to access it !!

    So I think that my request is good and should be integrated natively into your plugin.

    Let me know if considering it?
    Should not be a huge work to redirect to another page when locked out? 🙂

    Cheers!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi @seb06, I just thought of sharing this with you.

    Someone here in the forum shared a filter they use in their site running WooCommerce for a similar situation as yourself. You might like to check the following forum post.

    I have not tested this myself.

    Kind regards

    My small wordpress site got about 350 visitors a day – a lot of these were login attempts although they never found where WPS Hide Login had put it. Suddenly 3 days ago the number of daily visitors dropped by 50% to around 170 and has stayed down. Looking on wordfence I see that almost all the login attempts have stopped. They all came from new sites as I manually blocked each attempting I.P address for a while and it made no difference. The obvious implication is that these attempts were from a single source with a massive botnet – it had been going on for at least six months to a year, having gradually built up.
    I tried to get wordfence to automatically block any site attempting to use wp-login but I can’t manage to do that – it ignores this in options….. Almost all the login attempts wee preceded by a normal visit to the site – so the statistics would have been messed up anyway.
    How can I block sites that try wp-login?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi @timowen, can you start a new support thread please.

    Thank you

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Locking numerous login attempts display the secret login page name’ is closed to new replies.