Limit Login Attempts
[resolved] countdown (7 posts)

  1. Roy
    Posted 5 years ago #

    I noticed this plugin keeps counting down, which actually made me delete it. First I installed it and used the default setting of 5 attempts and tried to see if it worked. It did. I mistaped the login later and the count went down to three and two, so I set the limit to 8 attempts. When I mistype again later (another day even), the counter keeps going down. Wouldn't it be wiser to make some kind of time interval for a few hours after which a certain IP is cleared? Also, the plugin gives the IP in the options screen, but without the option to exclude that very IP from the lockdown. I just didn't trust from not being locked out after some mistypes in the course of some time.
    (Now I installed one that doesn't count, I may trust that one even less!)

  2. johanee
    Plugin Author

    Posted 5 years ago #

    You can control how long failed login attempts are remembered using the "xx hours until retries are reset" setting.

    The default is 24 hours, and the time is reset at each failed attempt.

    (If you have 1 failed attempts with 1 hour remaining until reset and fail again there will be 2 failed attempts with 24 hours remaining.)

    Most sites can decrease this value (12 hours?) without major decrease in security provided.

    You can remove a lockout-in-progres, but not whitelist IP's. Adding such functionality... I'm not sure. I want to keep the basic security function as simple as possible. Not give an attacker anything to work with to get around the restrictions.

    I'll consider it.

  3. Roy
    Posted 5 years ago #

    xx hours until retries are reset

    Oh boy, did I have s**t in my eyes!

    whitelist IP's

    Of course there's the 'remember me' function. I never use it, but that's an option for your users.

    Thank you very much.

  4. johanee
    Plugin Author

    Posted 5 years ago #

    Of course there's the 'remember me' function.

    Yes, right. So really no need for a whitelist -- good!

  5. Jason Wong
    Posted 5 years ago #

    It'll be best to incorporate the "time based" failed attempt reset with a successful attempt. For example, 3 attempts are given and the first 2 attempts failed but the last attempt succeeded, which should reset the number of failed attempts to zero.

    I hope that this could be included in the next release. We're only human, and mistakes are bound to happen whenever we type in our passwords ...


  6. johanee
    Plugin Author

    Posted 5 years ago #

    No, this is very much by design.

    Otherwise it would be possible to try "admin" for allowed retries - 1, and then log in to a normal account to reset count. Repeat until password broken.

    To make that work we would have to keep track of number of retries for every user for every IP, but that would allow a single IP to fill up the DB -- not good.

    Nor can we keep track only per user as that would allow denial of service attacks against other users.

    When you make mistakes you'll get an ugly warning until the retries are reset. I don't think that is too much trouble really.

    I can recommend using a password manager. :)

    Also, as this is the fifth time I'm answering this question I'll put it in the FAQ.

  7. Jason Wong
    Posted 5 years ago #

    You've a point there. Thanks for the advice =)

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Limit Login Attempts
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic