• Resolved bMighty2

    (@bmighty2)


    I have the auto lockdown set to auto lock out ip’s that try with invalid usernames, and I can see the ip range set in the ‘locked ip’ tab. However, login attempts from that ip are still ongoing.

    For example, 176.102.49.* was locked out on Aug 2, and I have the lock out time set for one month, but there have been over 2 dozen login attempts today alone, from 176.102.49.192. I even added that specific IP to the blacklist and I am still getting notices of failed logins.

    Also, my site traffic in general is probably suffering because of the lockout feature — it blocks by IP range so when I get a failed login from the Los Angeles area for example, it blocks that whole range…is there a setting I’m missing to block only specific IPs?

    I currently have 1440 IP ranges blocked, many from overseas of course, but many are from the states as well. I know locking out for a month seems excessive, but whether it’s blocked for one day in Los Angeles or one month, it’s still not letting legitimate traffic see me.

    Thanks for any suggestions to get this set up better.

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, do you have the following option Enable Pingback Protection: enabled? This option is located under WP Security -> Firewall -> Basic Firewall Rules.

    Thread Starter bMighty2

    (@bmighty2)

    Yup,,I sure do

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Do you have any other security plugin installed?

    Thread Starter bMighty2

    (@bmighty2)

    I do,,I am also using Securi..could it be a conflict between the 2? That’s how I’m able to see that login attempts from IPs that are suppose to be blocked are still going on. Securi is logging them as ‘failed logins’ or in brute force attack notices, depending on the frequency of attempts. But, after the IP is flagged by all in one wp, it doesn’t show as ‘failed login attempts’, just shows that the ip was blocked on the date in all in one wp, while still showing failed attempts in securi.

    I do see the deny rules in .htaccess for the all in one wp, where it is denying access to directories, etc, but the IP’s that are getting flagged for lockout are not getting listed in there.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, perhaps both security plugin might be conflicting with one another. Try to deactivate one of them and carry out another test.

    I’ve seen the same sort of activity, where AIOWPS reports a locked out IP address with a single failed attempt (for using an invalid username) but Sucuri logs show five attempts from the same IP with same invalid username but different attempted passwords. Sucuri doesn’t have a setting to limit the number of failed logins, so that limit is applied by AIOWP. It looks like AIOWPS is correctly locking out IPs after 5 failed login attempts but not enforcing the immediate lockout for invalid usernames.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @stevegantz thank you for reporting your finding. One of the plugin developers will investigate further.

    Regards

    Plugin Contributor wpsolutions

    (@wpsolutions)

    I just tested this together with the sucuri plugin and I can confirm that the AIOWPS login lockdown is working correctly. ie, it is locking out any login attempts made with invalid usernames on the first attempt.
    The AIOWPS plugin uses the wordpress “authenticate” filter to check if the user has been locked out before allowing the login process to proceed any further. So in your case it is correctly not allowing those malicious login attempts to proceed further because they have been locked.

    I think your confusion lies in the fact that the sucuri plugin is reporting the submission of the login form every time it occurs. I don’t know which hook or filter they are using but the fact that their plugin is showing login attempts doesn’t necessarily mean the AIOWPS is not blocking those attempts. It all depends on when during the login form submission process the sucuri plugin is listening for the login attempts.
    My tests confirm that invalid username attempts are indeed being correctly blocked.

    I’m setting this issue to resolved.

    Thanks very much for testing the plugin combination and providing the technical explanation for what both plugins are reporting. I agree with the implication that Sucuri is essentially reporting false positives, in the sense that its brute force attempt alerts do not indicate an exploitable situation with WordPress.

    Thread Starter bMighty2

    (@bmighty2)

    Excellent, Sounds good to me, thanks for looking into it so thoroughly.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Login lockdown not working right’ is closed to new replies.