WPChef

Limiting attempts by a username is something we have been considering implementing. However, we cannot provide a specific timeline at this point, so please stay tuned. The main concern is to prevent the constant blocking of legit users due to bot activity.

Limit Login Attempts Reloaded reports all failed login attempts. 2FA plugin sends a notification only if the user entered the correct username and password (i.e. the attempt hasn’t failed).

All WordPress plugin developers are required to strictly follow the plugin development codex which forbids tracking websites without an explicit consent of the site’s owner. That’s why we don’t ask for a domain name anywhere. Our plugin is open source, so feel free to dissect the code.

You’re seeing the “No lockouts” text on the Logs tab of the plugin, correct? If you have 2 attempts, but no lockouts, that means that per your settings a lockout should happen after more than 2 attempts. Please let us know if you meant something else.

Hi Youdaman,

Thank you for your feedback. This is an interesting point.

The way our notification system works is that it logs/sends failed login notification emails whether the account/username exists or not. Our definition of a failed login attempt is when an IP attempts a login and it fails. Just because the login attempt is ineffective doesn’t make it “fake” as you mentioned.

We will consider an update that omits failed login attempts when the account/username does not exist. But this data is needed for our IP intelligence since those attempts reveal dangerous IPs. We will consider classifying the severity of each failed login attempt so that the user can better understand the threat level.

If you have any further suggestions, please let us know.

Hi Suziq407,

We apologize if we did not answer your question to your satisfaction. We are unsure what is going on to cause these unusual usernames. This is not caused by our plugin. If you’d like to dig into the issue further, you can find the corresponding IP address associated with the attack and learn more about its origin. Best of luck and thank you for your inquiry.

We have uploaded a new version of the plugin which should hopefully fix the issue.

We are sorry that you feel this way about our product. You may uninstall the plugin if you don’t feel it is working properly for your company. We have nearly 2.5 million active installs so it’s certainly working well for majority of users. There are unique cases in which the plugin might conflict with other plugins or hosting configurations, but being that you are not a paid user, we must do additional research to understand the problem and provide a fix. We assume all questions in the WordPress support forum are free users, and paid users can email our support for level 2 tech support.

As we understood, you don’t have your real (from Google) IP anywhere on the phpinfo page. If that’s correct, the issue can’t be fixed w/o help of your hosting provider. Tell them that your REMOTE_ADDR variable is not detected correctly by the server. They should fix it.