Admin constantly locked out from dashboard

  • Resolved petraho

    (@petraho)


    4 years, 4 months ago

    The admin is locked out after only one attempt, she uses the right username and password. I can login an I see her IP is on the list of blocked IP’s. If I unlock it and she tries again, her IP is on this list again. She gets the following message and also a 503, but other IP’s have no problems. This seems the case after the last update?

    This email was sent from your website “Badminton | BC Hoogerheyne” by the Wordfence plugin at Thursday 30th of July 2020 at 01:43:27 PM The Wordfence administrative URL for this site is: https://bchoogerheyne.nl/bchoogerheyne.nl/wp-admin/admin.php?page=Wordfence
    A user with IP addr ………. has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: . The last username they tried to sign in with was: ‘bestuur’.
    User IP: ………..
    User hostname: ………….

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @petraho and thanks for reaching out to us!

    If you could provide a screenshot of the message that is being received, we could better understand what is happening.

    It looks like they are attempting and failing too many times according to what you provided. Check and verify that the user name they are attempting to use is correct. It also could be an issue with the rate limits you have set up as well.

    I generally set my Rate Limiting Rules to these values to start with:
    If anyone’s requests exceed 240 per minute
    If a crawler’s page views exceed 120 per minute
    If a crawler’s pages not found (404s) exceed 60 per minute
    If a human’s page views exceed 120 per minute
    If a human’s pages not found (404s) exceed 60 per minute
    How long is an IP address blocked when it breaks a rule 30 minutes

    I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.

    Remember there is no hard and fast, one size fits all set of rules for every site. These are just a good place to start. During an attack, you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.

    https://www.wordfence.com/help/firewall/rate-limiting/ is an outstanding reference for setting rate limiting.

    Let me know if any of this help!

    Thanks!

    Thread Starter petraho

    (@petraho)

    The strange thing is, she just tries one time to log in to wp-admin and is directly autmatticly blocked. I didn’t do that, I only unblocked this IP-adres, but when she tries again the same happens.
    I have a screenshot from the screen she gets after trying to log in, but where can I upload it?

    Plugin Support WFAdam

    (@wfadam)

    Hello again @petraho

    You can email the screenshot to wftest @ wordfence . com

    Make sure to put your forum username as the subject line so we can find it easily.

    Thanks!

    Thread Starter petraho

    (@petraho)

    Hello,

    Before my vacation I send you the screenshot. This topic is nog resolved. One IP-adres still cannot login. I can remove Wordfence and replace it by another plugin but I am curious what the problem is.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Admin constantly locked out from dashboard’ is closed to new replies.