Locking our legit users

  • Resolved enquirer32

    (@enquirer32)


    10 years ago

    The problem is the plugin inserts the following into the htaccess file:

    #AIOWPS_LOGIN_WHITELIST_START
<FilesMatch "^(wp-login\.php)">
Order Allow,Deny
Allow from mywebsite.com
Allow from xxx.xxx.xx.xx etc
</FilesMatch>
#AIOWPS_LOGIN_WHITELIST_END

    but… if the IP address of other users isn’t already whitelisted for some reason then they can’t access wp-login and that’s no good. They get an error message as follows:

    Forbidden
    You don’t have permission to access /wp-login.php on this server. etc

    The only way I can see to stop this happening is to edit the htaccess file and remove the above or in any not enable the feature in the first place which seems a little silly.

    Any views much appreciated.

    https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    10 years ago

    Hi, the Whitelist function only allows access to your website the IP address added in the list. So if a user tries to log in and their IP address is not added to the list, they will see the above mentioned warning messages.

    Is this what you expected by enabling this feature?

    Thread Starter enquirer32

    (@enquirer32)

    10 years ago

    Thanks for the reply. No, I didn’t expect this and it is useful. I had simply expected that it would set up a test for multiple wrong logins and ban them. Perhaps it could do with a clearer explanation. What about multiple incorrect logins?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    10 years ago

    I understand what you mean however I think the feature you mentioned above is Enable Login Lockdown Feature:. This feature can be found in WP Security -> User Login -> Login Lockdown.

    The login Whitelist should only be enabled if you know which people you want to log into your admin panel and they have a static IP addresses. This feature is set as an Intermediate security level but it is extremely powerful.

    Thread Starter enquirer32

    (@enquirer32)

    10 years ago

    I understand what you mean however I think the feature you mentioned above is Enable Login Lockdown Feature:. This feature can be found in WP Security -> User Login -> Login Lockdown.

    Yes, I understand that.

    The login Whitelist should only be enabled

    – I don’t see this as a separate feature it seems to occur automatically if one enables the above?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    10 years ago

    Hi, what do you mean by.

    I don’t see this as a separate feature it seems to occur automatically if one enables the above?

    Thread Starter enquirer32

    (@enquirer32)

    10 years ago

    If I enable login lockdown it automatically added the whitelist. Maybe we are talking at cross-purposes. I suppose the point is this:

    is there a system for locking out multiple failed login attempts?

    Česlav Przywara

    (@chesio)

    10 years ago

    Hi enquirer32,

    is there a system for locking out multiple failed login attempts?

    Yes, there is and, as @mbrsolution already mentioned, its the Login Lockdown feature that you can find and configure under “User Login” menu.

    The “Login Whitelist” feature is completely unrelated to it. As the description on the page says: “This feature will deny login access for all IP addresses which are not in your whitelist”. So, if you need your legit users to log in from different (unknown) IP addresses, you cannot use “Login Whitelist” feature…

    Cheers,
    Česlav

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Locking our legit users’ is closed to new replies.