Hi, can you share the settings you have enabled under User Login -> Login Lockdown.
Thank you
Enable Login Lockdown Feature: on
Allow Unlock Requests: off
Max Login Attempts: 30
Login Retry Time Period (min): 10
Time Length of Lockout (min): 60
Display Generic Error Message: on
Instantly Lockout Invalid Usernames: on
Instantly Lockout Specific Usernames: including: admin, ADMIN Administrator etc
Notify By Email: on
Enable Login Lockdown IP Whitelist: on
Enter Whitelisted IP Addresses: my IP
I tried with an account name from the blacklist and I could still log in with a different account.
I tried to log in from a blocked IP address and this was also possible.
I can share the rest of my settings but not on the forum.
Hi,
I think the following setting is too large:
Max Login Attempts: 30
You should decrease this number – say to 5 or less.
I tried to log in from a blocked IP address and this was also possible.
Maybe that “blocked” IP address had surpassed the lockout period and was automatically unblocked. This is entirely possible because the following setting means that those IP addresses will be blocked for an hour and after that time period they will be released:
Time Length of Lockout (min): 60
You should increase this value if you want to block such IP addresses for a longer period.
I tried with an account name from the blacklist and I could still log in with a different account.
I’m a little confused by this statement. Are you saying that firstly you tried to login with username “admin” and then you tried with a valid username not listed in the “Instantly Lockout Specific Usernames” setting?
Due to the nature of the valid users the number of 30 is ok. If a script is attacking the site I get 30 requests in a minute… That’s fast enough right now
When I do tests I do keep the settings in account.
– If I only have AIOWPS active the site redirects to 127.0.0.1 when using a blacklisted user name.
– When I activate Pie Register also the site stops redirecting. And I can login with another user account. This is not what I expected.
Can it be the nature of the redirection of the login page Pie Register uses? I made separate pages with the codes of PR: [pie_register_login] , [pie_register_form]
Due to the nature of the valid users the number of 30 is ok
I think you may be misunderstanding how that setting works.
That setting is not for the total login attempts. It applies for each person attempting to login.
By setting that value to 30 you are allowing each individual IP address to have 30 opportunities to guess your login credentials before they get locked out.
For example let’s say in a 1 minute period you have 10 different bad guys trying to log into your site. Due to the way you have configured that setting, you are effectively allowing a total of 300 incorrect login attempts in that period before those IPs are locked out. (30 attempts for each IP address)
This is way too much and makes your site vulnerable to brute force attack.
Can it be the nature of the redirection of the login page Pie Register uses?
I’m sorry I’m not familiar with that plugin.
What registration and login plugins has AIOWPS been tested with?
The reason I use PR is that I can request additional information in the registration form and the login page is not the default one anymore. This makes it more difficult for scripted attacks.
Hello
Can you please inform us what user registration plugins AIOWPS is tested with?
My guess is that there are more users out there who are using some kind of registration form & login page that is different from the standard WP login page.
If the locking issue is related to a particular plugin it would help solve the issue.
If AIOWPS does not handle login plugins correctly in general I would appreciate if it would be solved in one way or another.
As mentioned in the tread I use Pie Register: https://wordpress.org/plugins/pie-register/
