WordPress.org

Forums

Limit Login Attempts
SCARY! Limit Login Attempts lockout bypassed? (42 posts)

  1. Moondrop
    Member
    Posted 2 years ago #

    Same issue as shamratdewan has happened to me. The IP was locked out however, and login attempts stopped once it was locked. They were able to attempt 30+ logins, but I have the login attempt count set to 6.

  2. MyInternetScout
    Member
    Posted 2 years ago #

    Hopefully, these attempts were unsuccessful...?

    I've started to see uncontested attempts as well. My log also shows that these unaccounted for attempts have no User Name (a blank) associated with each attempt. However when the attempt is performed with a user name, the plugin works as expected.

    Is anyone seeing this in their logs?

  3. shamratdewan
    Member
    Posted 2 years ago #

    hi, for MyInternetScout yes i see the user names. as i have shown in my last post i use another plugin call "activity monitor" that tell who has log in, what time.... Eventhough most of the time its admin they tried. but they used other usernames that are in use as well. can anobody suggest me where to find the log file in the server access log?

  4. MyInternetScout
    Member
    Posted 2 years ago #

    Hi shamratdewan,

    Since I used to sell layer2 and 3 security solutions to businesses, I'm constantly trying to improve security. Let me know if any of the points below help you...

    LOGGING
    I believe each hosting company provides the log software; something you're going to have to dig through at the CPanel level. As far as I know (which really chaps my hide), the WordPress engine does not have logging built into it. I use the 'Wp-Activity' plugin for my logging - it logs everything! Try using this plugin.

    BLACKLIST FEATURE
    I haven't used the Limit Login Attempts blacklist feature. However, I've been using WP-Activity's IP blacklist feature - and it looks to work just fine... so far.

    The fact you're observing other usernames in the login hack attempts is something I see regularly. The servers attempting the breach also scan for all user account names and try to use those IDs to attack with.

    I hope this information helps.

  5. JamesBB
    Member
    Posted 2 years ago #

    @MyInternetScout

    THANK YOU for the tip!
    The plugin WP-Activity you mentioned should be very useful...

  6. XCTrails
    Member
    Posted 2 years ago #

    Hi,

    yesterday, I observed the same thing on one of my boxes. According to ActivityMonitor, a bot tried to login a couple of hundred times, always using the same user/IP and different passwords.
    "administrator tried to log in ..."
    I had expected that something like this would be blocked by Limit Login Attempts (which is set to block after 4 attempts) but it wasn't until very late (can't say when, there's no timestamp with the blocked message in the plugin).

    Any idea ?

    Thanks ...

  7. MyInternetScout
    Member
    Posted 2 years ago #

    Hi XCTrails,

    Are you running the latest version of Limit Login Attempts? If so, it seems the author of Limit Login Attempts has yet to fix their vulnerability that allows unlimited attempts. I recommend you uninstall Limit Login Attempts and replace it with the Login Security Solutions plugin.

    Please let us know which version you're running.

  8. lazab
    Member
    Posted 2 years ago #

    Hi guys. I have been following the posts on this thread. What is the developer of this plugin saying? What do you guys think about wordfence?

    Very well supported plugin and appears to be highly effective.

  9. kitsunesniper
    Member
    Posted 2 years ago #

    Ah, so that explains the jerk that kept trying to log in despite me adding him to the blacklist.

    I'm now dealing with one guy who keeps trying to log in from five different IPs at the same time. I have the site set to block anyone who doesn't get the password right the first try, and so far that's kept him at bay.

  10. ericbentzen
    Member
    Posted 2 years ago #

    This plugin worked fine for me and effectively blocked many attempts, but today I had a look at my access log file, and one IP had bypassed the plugin more than 20000 times with 2 to 3 tries per second without being blocked.

    I noticed what may be peculiar, and that is the double slash after "wordpress" in the log entry: "POST /wordpress//wp-login.php HTTP/1.1" but I have no idea if this is significant or not.

    I have now blocked the IP in my htaccess file, but it seems from the thread and my experience that the plugin has at least one flaw.

    I am using the latest version of WordPress and the plugin.

  11. pixelyzed
    Member
    Posted 2 years ago #

    Hi guys,

    I moved on to Login Security Solution and that works a lot better than Limit Login Attempts for me. Plus it helps you enforce strong passwords. I have a few sites with a lot of users (including some multisite networks) and LSS is becoming invaluable to me.


    http://wordpress.org/extend/plugins/login-security-solution/

  12. WayneM1
    Member
    Posted 2 years ago #

    This plugin is old and needs updating (be warned)

    This plugin was last updated on 2012-6-1 - that's nearly a year ago. There have been a number of WordPress releases since that time.

    The last time the plugin author posted anything here at wordpress.org was 295 days ago.

    That post was in a support thread titled:
    "SCARY! Limit Login Attempts lockout bypassed?"

    Read that thread here:
    http://wordpress.org/support/topic/scary-limit-login-attempts-lockout-bypassed

    Why am I making this post?

    I have been a very strong believer in the Limit Login Attempts plugin. I have been believing that it has been helping to protect my WordPress installations. While it may have been helping somewhat - it appears to have some very serious flaws. The biggest problem is that I have been trusting it to do it's job and I now believe that it does not (read the referenced thread above).

    I came here today just to check up on what's going on with the recent botnet attacks on WordPress, and to see if the LLA plugin is working to help secure my site. Especially now that every WP and security blogger seems to be recommending this plugin to help combat brute force attacks.

    Right now I'm looking for a better solution. If you have any regard for your WordPress site security, you may want to do the same. The thread above has a some suggested plugins to consider.

    Looks like it is time to leave Limit Login Attempts behind. Too bad :-(

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Limit Login Attempts
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic