Cannot login with failed login attempts

Hi,

Are you using another plugin relating to or that would be monitoring login attempts?

What were the errors you said you saw?

No other plugin relating to security or login. I haven’t even changed anything as the problem happened overnight.

The problem I saw is the default wordpress error about failed login attempt along with the login limit to 3 failed logins.

Neither wordpress nor the simple firewall limit login attempts to 3. You probably have another plugin if you’re getting a message like that

Yes indeed. I had “Limit Login Attemps”. Without it the plugin works but I still want to limit the login attemps before a ban. A solution to that?

Sorry, I can’t support that plugin feature officially while there are other plugins dipping into the data. I can take a look and see if I can offset what they’re doing, but that’s a fairly substantial time investment, which then must be maintained as that plugin develops and changes.

Limiting by IP address is a non-scalable approach to security. I may or may not have given you this link before now, but I outline here why banning IP addresses are not a valid path to security:
https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress-misinformation-virus/

Sorry I can’t be of more help, but unfortunately developing, supporting, and trying to ensure your plugin works on all web hosts and with as much compatibility as possible is a near-full-time endeavour. But also then playing with other plugins that meddle with the very data+flow you’re also working within, is almost impossible.

If you trust limit login attempts to handle that side of your security, you should use it. You can just disable that login protection/user management section of our Firewall plugin and you’ll be fine.

Thanks,
Paul.

Hello again Paul.

I do not want to talk about the article but I left a comment on the article.

I understand you cannot make sure that your plugin works with all other security plugins out there and you are not supposed to in any way. Your plugin works beautifully and I have tested it in many ways to break it but along with my fixes and the server security it is almost unbeatable in what it does. You should keep it up and continue updating it and adding new stuff.

Can I ask what you referred to by “along with my fixes” … do you mean specifically to the plugin? I’d be curious as to what other measures you take that could potentially be incorporated into the plugin.

Cheers!
Paul.

Goodmorning Paul,

I haven’t touched the plugin at all. My fixes mostly include server side patches, error reporting suppression, htaccess, sql injection patches, permission controls and file deletion (some readmes and information gathering files) etc.

Nothing to fancy but some extra obstacles.

Gotcha, okay. On principle our plugin doesn’t touch core file permissions or .htaccess etc.

Thanks for letting me know!

It’s no problem Mr. Paul.

What I would add to that plugin would be a login ip ban (not perma) (maybe 20-30 mins) in order to pump up the security a bit. Along with the delayed login, brute force protection and the other functions it would be a total bummer for brute forcers as they will have to start the attack all over again and will stop on the same word again unless they remove the passwords from their wordlists.

That’s just my opinion though and in no way trying to show off or anything. The plugin is extremely usefull as it is right now.