Lockouts not working Properly

  • sroser

    (@supawiz6991)


    7 years, 10 months ago

    After updating to the latest version of iThemes Security lockouts seem to be broken.

    1. lockout rules dont seem to be followed. I get the generic “error” message from iThemes after the first wrong password submission.

    2. Lockouts are not being recorded. I get the email from iThemes that such a user has been locked out (I expect to see the host locked out first) but when I check the active lockouts section (if being able to login wasn’t hint enough) and find that there are “No active lockouts” when in fact there should be active lockouts.

    3. When testing this issue I triggered the “error” lockout message. I then attempted to go back to mysite.com/wp-admin only to find that I am once again able to try another set of credentials instead of being locked out. Further, after getting the “error” lockout notice I found I was able to successfully log into my site with the correct credentials (I should be locked out).

    *Note: I made sure the IP addresses of my test devices were not whitelisted.

    This may be related to this -> https://wordpress.org/support/topic/table-wordpress-muwp_itsec_lockouts-doesnt-exist?replies=1

    Hopfully this gets promptly fixed because of right not the lockouts function in non-usable.

    https://wordpress.org/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter sroser

    (@supawiz6991)

    7 years, 10 months ago

    This now appears to be a separate issue from https://wordpress.org/support/topic/table-wordpress-muwp_itsec_lockouts-doesnt-exist?replies=1 . The site this is installed on is a single site.

    Thread Starter sroser

    (@supawiz6991)

    7 years, 10 months ago

    Now that I’ve had sometime to further investigate this:

    1. Manually adding an ip address to the “banned IP address” section doesnt indeed lockout devices coming from that IP address.

    2. Brute Force Protection is not working as expected. I set my setting to 5 attempts per host and 40 attempts per user, yet the user is still being locked out before the host.

    2a. User lockouts are not appearing in the Active Lockouts section unless they try to login as admin (immediate ban option is active).

    Gerroald

    (@gerroald)

    7 years, 10 months ago

    Hi,

    There was an automatic whitelist feature added that I believe may be causing some of the confusion here. Once you log in as an admin your IP address is whitelisted for 24 hours. This will reset to the next 24 hours the next time you log in.

    The purpose of have user and host lockouts is in the case the brute force attack doesn’t visit the site enough times with the same IP to trigger a lockout. In this case the user was locked out before the host due to it’s IP being whitelisted.

    If you visit your iThemes Security Logs page do you see the lockouts?

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Lockouts not working Properly’ is closed to new replies.