Limit Login Attempts
Plugin 1.6.1 does not reset retries on time (4 posts)

  1. fwchapman
    Posted 4 years ago #

    Dear johanee,

    I really like your plugin! Unlike a similar plugin I tried, this plugin works with my SSL certificate login security.

    Unfortunately, I am having a small problem: The "hours until retries are reset" setting does not seem to have any effect.

    I did a successful test in which the number of retries was reset automatically overnight. I then did a second test where I changed the setting to 2 hours and deliberately mistyped the password. More than 2 hours later, the number of retries was not reset!

    There's also a very minor issue with some confusing wording. The first setting is called "allowed retries," but it's actually the allowed number of attempts. The allowed number of retries would be one less. For example, the default setting is 4, which allows a total of 4 login attempts before lockout, of which only 3 are actually retries. I expected the default setting to allow 4 retries and 5 total attempts.

    Could you please change "allowed retries" to "allowed attempts"? That would clear up the confusion quite nicely!

    Thanks very much,

    Fred Chapman
    Bethlehem, PA

  2. fwchapman
    Posted 4 years ago #

    P.S. The second test I mentioned has finally run to completion. It did reset the number of retries in less than the default value of 12 hours, but it took more than the 2 hour time limit I specified. I had only one failed login attempt during this entire time period. Could something else be causing the reset timer to restart?

  3. johanee
    Plugin Author

    Posted 4 years ago #


    Thanks for taking the time to test things: more eyes makes less bugs!

    I won't be able to really test this until this evening, but I thought I'll mention how it is currently supposed to work and give a potential explanation for the observed behavior:

    "Retries valid" duration is set at the time of the last attempt -- we store when they will time-out rather than when they happen -- and any new failure will reset this value using the currently configured duration.

    (This means if you made the failed attempt before changing the duration it would still use the old value.)

    I'll test it and check the code in question later today.

    Re: confusing wording. I'll take a look at improving the text.

    Thank you,

  4. fwchapman
    Posted 4 years ago #

    Thanks, Johan! I appreciate all your hard work.


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Limit Login Attempts
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic