WordPress.org

Support

Support » Plugins and Hacks » Limit Login Attempts » [Resolved] [Plugin: Limit Login Attempts] countdown

[Resolved] [Plugin: Limit Login Attempts] countdown

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author johanee

    @johanee

    You can control how long failed login attempts are remembered using the “xx hours until retries are reset” setting.

    The default is 24 hours, and the time is reset at each failed attempt.

    (If you have 1 failed attempts with 1 hour remaining until reset and fail again there will be 2 failed attempts with 24 hours remaining.)

    Most sites can decrease this value (12 hours?) without major decrease in security provided.

    You can remove a lockout-in-progres, but not whitelist IP’s. Adding such functionality… I’m not sure. I want to keep the basic security function as simple as possible. Not give an attacker anything to work with to get around the restrictions.

    I’ll consider it.

    xx hours until retries are reset

    Oh boy, did I have s**t in my eyes!

    whitelist IP’s

    Of course there’s the ‘remember me’ function. I never use it, but that’s an option for your users.

    Thank you very much.

    Plugin Author johanee

    @johanee

    Of course there’s the ‘remember me’ function.

    Yes, right. So really no need for a whitelist — good!

    It’ll be best to incorporate the “time based” failed attempt reset with a successful attempt. For example, 3 attempts are given and the first 2 attempts failed but the last attempt succeeded, which should reset the number of failed attempts to zero.

    I hope that this could be included in the next release. We’re only human, and mistakes are bound to happen whenever we type in our passwords …

    Cheers,
    Jason

    Plugin Author johanee

    @johanee

    No, this is very much by design.

    Otherwise it would be possible to try “admin” for allowed retries – 1, and then log in to a normal account to reset count. Repeat until password broken.

    To make that work we would have to keep track of number of retries for every user for every IP, but that would allow a single IP to fill up the DB — not good.

    Nor can we keep track only per user as that would allow denial of service attacks against other users.

    When you make mistakes you’ll get an ugly warning until the retries are reset. I don’t think that is too much trouble really.

    I can recommend using a password manager. 🙂

    Also, as this is the fifth time I’m answering this question I’ll put it in the FAQ.

    You’ve a point there. Thanks for the advice =)

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Resolved] [Plugin: Limit Login Attempts] countdown’ is closed to new replies.
Skip to toolbar