The User Login->Login Lockdown feature does not seem to be working for failed login attempts when the username does exist (a valid username). I have the lockdown settings at max login attempts = 4 and Login Retry Time Period = 2 minutes. However if the username exists, I can try logging in even 10 times in 2 minutes and there is no lockdown for the IP address. I tested this because in the Failed Login Records tab I can see that one IP address tried to login with an existing username repeatedly, every 2 seconds, and was not locked out after several minutes as I would like.
We need this to work because hackers are deriving our usernames from posts and trying to break in.
Note – this appears to be the same problem reported here https://wordpress.org/support/topic/max-login-attempts/
- The topic ‘Login lockdown not working for existing usernames’ is closed to new replies.