Title: Locking our legit users Last modified: August 31, 2016 --- # Locking our legit users * Resolved [enquirer32](https://wordpress.org/support/users/enquirer32/) * (@enquirer32) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/) * The problem is the plugin inserts the following into the htaccess file: * ``` #AIOWPS_LOGIN_WHITELIST_START Order Allow,Deny Allow from mywebsite.com Allow from xxx.xxx.xx.xx etc #AIOWPS_LOGIN_WHITELIST_END ``` * but… if the IP address of other users isn’t already whitelisted for some reason then they can’t access wp-login and that’s no good. They get an error message as follows: * > Forbidden > You don’t have permission to access /wp-login.php on this server. > etc * The only way I can see to stop this happening is to edit the htaccess file and remove the above or in any not enable the feature in the first place which seems a little silly. * Any views much appreciated. * [https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359230) * Hi, the Whitelist function only allows access to your website the IP address added in the list. So if a user tries to log in and their IP address is not added to the list, they will see the above mentioned warning messages. * Is this what you expected by enabling this feature? * Thread Starter [enquirer32](https://wordpress.org/support/users/enquirer32/) * (@enquirer32) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359243) * Thanks for the reply. No, I didn’t expect this and it is useful. I had simply expected that it would set up a test for multiple wrong logins and ban them. Perhaps it could do with a clearer explanation. What about multiple incorrect logins? * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359302) * I understand what you mean however I think the feature you mentioned above is** Enable Login Lockdown Feature:**. This feature can be found in **WP Security - > User Login -> Login Lockdown**. * The login Whitelist should only be enabled if you know which people you want to log into your admin panel and they have a **static IP addresses**. This feature is set as an **Intermediate** security level but it is extremely powerful. * Thread Starter [enquirer32](https://wordpress.org/support/users/enquirer32/) * (@enquirer32) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359319) * > I understand what you mean however I think the feature you mentioned above > is Enable Login Lockdown Feature:. This feature can be found in WP Security- > > User Login -> Login Lockdown. * Yes, I understand that. * > The login Whitelist should only be enabled * – I don’t see this as a separate feature it seems to occur automatically if one enables the above? * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359320) * Hi, what do you mean by. * > I don’t see this as a separate feature it seems to occur automatically if > one enables the above? * Thread Starter [enquirer32](https://wordpress.org/support/users/enquirer32/) * (@enquirer32) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359327) * If I enable login lockdown it automatically added the whitelist. Maybe we are talking at cross-purposes. I suppose the point is this: * is there a system for locking out multiple failed login attempts? * [Česlav Przywara](https://wordpress.org/support/users/chesio/) * (@chesio) * [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359337) * Hi enquirer32, * > is there a system for locking out multiple failed login attempts? * Yes, there is and, as [@mbrsolution](https://wordpress.org/support/users/mbrsolution/) already mentioned, its the **Login Lockdown** feature that you can find and configure under “User Login” menu. * The “Login Whitelist” feature is completely unrelated to it. As the description on the page says: “This feature will deny login access for all IP addresses which are not in your whitelist”. So, if you need your legit users to log in from different( unknown) IP addresses, you **cannot** use “Login Whitelist” feature… * Cheers, Česlav Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Locking our legit users’ is closed to new replies. * ![](https://ps.w.org/all-in-one-wp-security-and-firewall/assets/icon-256x256. png?rev=2798307) * [All-In-One Security (AIOS) – Security and Firewall](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/) * [Active Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/reviews/) ## Tags * [forbidden](https://wordpress.org/support/topic-tag/forbidden/) * [permission](https://wordpress.org/support/topic-tag/permission/) * 7 replies * 3 participants * Last reply from: [Česlav Przywara](https://wordpress.org/support/users/chesio/) * Last activity: [10 years ago](https://wordpress.org/support/topic/locking-our-legit-users/#post-7359337) * Status: resolved