Support » Plugin: Limit Login Attempts Reloaded » Plugin Blocking All Logins – Even New Ones

  • Resolved juusan

    (@juusan)


    Hi there, I’ve had this plugin installed for a long time on four different sites, but suddenly it’s not behaving. Every time someone tries to login, it blocks them. While this makes sense for logins that are being hammered by bots, I just had a customer email me saying she’s locked out of her account, which she created seconds before. What’s going on?

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 28 total)
  • laurenfromseattle

    (@laurenfromseattle)

    I am having a similar issue. Version: 2.7.4 on the GD platform. Users are being locked out across usernames, across IP addresses for failed login attempts.

    juusan

    (@juusan)

    So frustrating! My problem started a few months ago and it’s now getting to the point that the plugin is unusable. I’ve had to disable it across all of my sites.

    Plugin Author WPChef

    (@wpchefgadget)

    Hi guys,

    Do you use CloudFlare or Sucuri or any other proxy service?

    laurenfromseattle

    (@laurenfromseattle)

    Thanks for the reply. We aren’t using CloudFlare or Sucuri, but I’m assuming some kind of proxy is in use because I see the same HD5 hash for the IP address when checking the lockout log. Strangely, this is only the case since three days ago. Which is when the problem first came to my attention.

    The website is on GoDaddy managed WordPress, and they use this as an mu-plugin. Version 2.7.4.

    juusan

    (@juusan)

    Yes to Cloudflare, but only on one site out of the four having problems. All sites are running Sucuri, but none of the sites have its WAF feature turned on, which is what blocks brute login bots.

    laurenfromseattle

    (@laurenfromseattle)

    Is this an issue that has been resolved on later versions? I’ve seen this note numerous times:

    The plugin doesn’t trust any IP addresses other than _SERVER[“REMOTE_ADDR”] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER[“REMOTE_ADDR”] with wrong IPs which leads to mass blocking of users.

    I’ve been on the phone with GoDaddy for several hours and they are unwilling to update from version 2.7.4 for reasons unknown. All of the lockouts are coming from the same address when I look at the log, but I couldn’t get an answer from GoDaddy as to why that would be. They looked at the hashes and told me those weren’t IP addresses. Sigh.

    juusan

    (@juusan)

    Lauren, I have the most recent version of the plugin and it’s still a problem. -_-

    Hi, so I’m guessing from the lack of support involvement that this it not going to be resolved and I should find a new plugin?

    • This reply was modified 4 months, 3 weeks ago by juusan.

    No word on this? Wow, that really sucks. The only way your plugin is usable is when it’s DISABLED. Lovely.

    Plugin Author WPChef

    (@wpchefgadget)

    Hi juusan,

    Please see which environment variables contain your real IP and what the REMOTE_ADDR one is showing, and let us know.

    I don’t know where to find this. Also, it’s happening on all five of my sites where I have the plugin installed. The only way I can get into any of my sites is by disabling the plugin via FTP.

    Plugin Author WPChef

    (@wpchefgadget)

    Since you use CloudFlare, the most reliable solution for you would be asking your hosting provider to install mod_cloudflare: https://github.com/cloudflare/mod_cloudflare This will fix the issue with IPs.

    If you have the latest version of the plugin, you should be able to log in by resetting the password, as it is stated on the login page.

    You can also put the following line into the IP Origin box on the plugin’s settings page:
    HTTP_CF_CONNECTING_IP
    but this will lower your security a lot, for the reasons, explained in this thread, on the plugin’s settings page, on the plugin’s changelog page and in a number of similar support topics – any IP origin other than REMOTE_ADDR can be easily faked.

    I can ask my host to install mod_cloudflare, but I’m only running one site out of five on Cloudflare, and they are all having this problem. Even the four NON-Cloudflare sites. What about those?

    And the plugin used to work great even on my site that uses Cloudflare.

    Resetting my password every time I want to login is clearly not a great option. Especially when it comes to five different sites. That’s… not a fix. At all. It’s a last resort.

    Plugin Author WPChef

    (@wpchefgadget)

    Hi juusan,

    > I’m only running one site out of five on Cloudflare, and they are all having this problem

    Do they use any type of proxy service as well? You can find this out by finding their domain names in any WHOIS service and checking the Name Servers option. You can paste this info here as it is public anyway.

    > the plugin used to work great even on my site that uses Cloudflare

    The old version of the plugin worked fine b/c it supported extra IP origins which is a bad practice and makes the whole idea useless.

    > Resetting my password every time I want to login is clearly not a great option.

    This feature is designed for special situations when you got locked and need to unlock yourself. This is not for daily use.

    No, the other sites do not have a proxy at all. Here’s the whois record for https://fearlesscooking.club, one of my sites have the problem:

    % IANA WHOIS server% for more information on IANA, visit http://www.iana.org% This query returned 1 object
    refer:        whois.nic.club
    domain:       CLUB
    organisation: .CLUB DOMAINS, LLCaddress:      100 SE 3rd Ave. Suite 1310address:      Fort Lauderdale, FL 33394address:      United States
    contact:      administrativename:         Howard Bellorganisation: .CLUB DOMAINS, LLCaddress:      100 SE 3rd. Ave. Suite 1310address:      Fort Lauderdale, FL 33394address:      United Statesphone:        (954) 707-1107fax-no:       888-886-0462e-mail:       howard@get.club
    contact:      technicalname:         Directororganisation: Neustar, Inc.address:      21575 Ridgetop Circleaddress:      Sterling, VA 20166address:      United Statesphone:        +1 844-677-2878fax-no:       +1 571-434-5401e-mail:       technical1@registry.neustar
    nserver:      NS1.DNS.NIC.CLUB 156.154.144.215 2610:a1:1071:0:0:0:0:d7nserver:      NS2.DNS.NIC.CLUB 156.154.145.215 2610:a1:1072:0:0:0:0:d7nserver:      NS3.DNS.NIC.CLUB 156.154.159.215 2610:a1:1073:0:0:0:0:d7nserver:      NS4.DNS.NIC.CLUB 156.154.156.215 2610:a1:1074:0:0:0:0:d7nserver:      NS5.DNS.NIC.CLUB 156.154.157.215 2610:a1:1075:0:0:0:0:d7nserver:      NS6.DNS.NIC.CLUB 156.154.158.215 2610:a1:1076:0:0:0:0:d7ds-rdata:     9346 8 1 3E247E0A6BC2660B58ABF34967A2EA60B7944568ds-rdata:     9346 8 2 3668A7F42E8BDCE70C17B8A8DE9F4505F8E10D4C1E95BBD3FB0DE6A488450C47ds-rdata:     41146 8 1 8EC15F269816729B0A8D1541E1061D534CE24EC1ds-rdata:     41146 8 2 4373EF44409BFE938DB0A2710E36A1A523017A3E74F67BC1C5216A89FC112ECF
    whois:        whois.nic.club
    status:       ACTIVEremarks:      Registration information: http://dotclub.com
    created:      2014-01-09changed:      2019-06-27source:       IANA

Viewing 15 replies - 1 through 15 (of 28 total)
  • You must be logged in to reply to this topic.