WPChef
Forum Replies Created
-
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Block by username not IPLimiting attempts by a username is something we have been considering implementing. However, we cannot provide a specific timeline at this point, so please stay tuned. The main concern is to prevent the constant blocking of legit users due to bot activity.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Fake login attempts?Yes, the bots/attackers can get your usernames at least from the following 2 sources:
- By opening this URL of your site /wp-json/wp/v2/users. You can add to the end of your domain and see it. It’s a part of the WP API. You can disable it but some plugins depend on it (not LLAR though).
- By parsing sites looking for usernames. Often the usernames are exposed in page URLs, especially the posts. That’s why we recommend users to never post under admin.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Fake login attempts?Limit Login Attempts Reloaded reports all failed login attempts. 2FA plugin sends a notification only if the user entered the correct username and password (i.e. the attempt hasn’t failed).
All WordPress plugin developers are required to strictly follow the plugin development codex which forbids tracking websites without an explicit consent of the site’s owner. That’s why we don’t ask for a domain name anywhere. Our plugin is open source, so feel free to dissect the code.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] failed login attemptsThen the failed attempts happened from different IP addresses and hence didn’t generate a lockout.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] failed login attemptsYou’re seeing the “No lockouts” text on the Logs tab of the plugin, correct? If you have 2 attempts, but no lockouts, that means that per your settings a lockout should happen after more than 2 attempts. Please let us know if you meant something else.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] failed login attemptsHi Lemjack7,
A lockout is recorded after a certain amount of failed login attempts happens. This means a number of login attempts in the log almost always higher than the number of lockouts.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Fake login attempts?Hi Youdaman,
Thank you for your feedback. This is an interesting point.
The way our notification system works is that it logs/sends failed login notification emails whether the account/username exists or not. Our definition of a failed login attempt is when an IP attempts a login and it fails. Just because the login attempt is ineffective doesn’t make it “fake” as you mentioned.
We will consider an update that omits failed login attempts when the account/username does not exist. But this data is needed for our IP intelligence since those attempts reveal dangerous IPs. We will consider classifying the severity of each failed login attempt so that the user can better understand the threat level.
If you have any further suggestions, please let us know.
Thank you. We’ll look into this and let you know.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Only WP users as “inquirers”?Hi Suziq407,
We apologize if we did not answer your question to your satisfaction. We are unsure what is going on to cause these unusual usernames. This is not caused by our plugin. If you’d like to dig into the issue further, you can find the corresponding IP address associated with the attack and learn more about its origin. Best of luck and thank you for your inquiry.
Hello, I think this article will be helpful.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Critical error when going to SettingsWe have uploaded a new version of the plugin which should hopefully fix the issue.
Forum: Plugins
In reply to: [Limit Login Attempts Reloaded] Only WP users as “inquirers”?Besides “/wp-json/wp/v2/users” bots also scrape websites and find usernames in the page content and URL slugs. Also more detailed info can be read using this address /wp-json/wp/v2/users/[user_id] just add it at the end of your web site.
We are sorry that you feel this way about our product. You may uninstall the plugin if you don’t feel it is working properly for your company. We have nearly 2.5 million active installs so it’s certainly working well for majority of users. There are unique cases in which the plugin might conflict with other plugins or hosting configurations, but being that you are not a paid user, we must do additional research to understand the problem and provide a fix. We assume all questions in the WordPress support forum are free users, and paid users can email our support for level 2 tech support.
There were more than 20 releases since 2.20.2. We can’t think of any that could break anything related to your question. Unfortunately there is no good way for us to debug your local installation w/o access to it. You can go live with 2.20.2 and turn off the updates. That version works fine.
- This reply was modified 1 year, 1 month ago by WPChef.
As we understood, you don’t have your real (from Google) IP anywhere on the phpinfo page. If that’s correct, the issue can’t be fixed w/o help of your hosting provider. Tell them that your REMOTE_ADDR variable is not detected correctly by the server. They should fix it.