Support » Plugin: Limit Login Attempts Reloaded » Plugin Blocking All Logins – Even New Ones

  • juusan

    (@juusan)


    Hi there, I’ve had this plugin installed for a long time on four different sites, but suddenly it’s not behaving. Every time someone tries to login, it blocks them. While this makes sense for logins that are being hammered by bots, I just had a customer email me saying she’s locked out of her account, which she created seconds before. What’s going on?

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • I am having a similar issue. Version: 2.7.4 on the GD platform. Users are being locked out across usernames, across IP addresses for failed login attempts.

    So frustrating! My problem started a few months ago and it’s now getting to the point that the plugin is unusable. I’ve had to disable it across all of my sites.

    Plugin Author 2by2host

    (@wpchefgadget)

    Hi guys,

    Do you use CloudFlare or Sucuri or any other proxy service?

    Thanks for the reply. We aren’t using CloudFlare or Sucuri, but I’m assuming some kind of proxy is in use because I see the same HD5 hash for the IP address when checking the lockout log. Strangely, this is only the case since three days ago. Which is when the problem first came to my attention.

    The website is on GoDaddy managed WordPress, and they use this as an mu-plugin. Version 2.7.4.

    Yes to Cloudflare, but only on one site out of the four having problems. All sites are running Sucuri, but none of the sites have its WAF feature turned on, which is what blocks brute login bots.

    Is this an issue that has been resolved on later versions? I’ve seen this note numerous times:

    The plugin doesn’t trust any IP addresses other than _SERVER[“REMOTE_ADDR”] anymore. Trusting other IP origins make protection useless b/c they can be easily faked. This new version provides a way of secure IP unlocking for those sites that use a reverse proxy coupled with misconfigurated servers that populate _SERVER[“REMOTE_ADDR”] with wrong IPs which leads to mass blocking of users.

    I’ve been on the phone with GoDaddy for several hours and they are unwilling to update from version 2.7.4 for reasons unknown. All of the lockouts are coming from the same address when I look at the log, but I couldn’t get an answer from GoDaddy as to why that would be. They looked at the hashes and told me those weren’t IP addresses. Sigh.

    Lauren, I have the most recent version of the plugin and it’s still a problem. -_-

    Hi, so I’m guessing from the lack of support involvement that this it not going to be resolved and I should find a new plugin?

    • This reply was modified 2 weeks, 6 days ago by  juusan.
Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.