Doesn't block Admin when using uppercase A

Agreed. Multiple attacks in a short space of time on “Admin” getting passed and cached as good IPs seems quite silly.

Thank you!

I am not checking for the admin (or Admin) user id. I check to see if the user has admin privileges. When the “check for admin” option is on, before I check for a spammer, I check to see if the user is an “admin” type user and that the password is correct. The plugin doesn’t care what username is used – it checks everything.

Keith,

Well, I’ve just been getting a lot of spam logins to ‘Admin’

I’ve been getting a lot, too. This are criminals. If they had any brains they would be making honest money.

Keith

Agreed. I have yet to find a smart spammer. The smartest one figured out my username so, I put it in SFS and now it can cause no harm.

Sorry Keith but I am confused.

If you are not checking for “admin” user id, what on earth does “Blacklist login attempts using ‘admin’ userid:” mean? This is what we are talking about.

And I don’t even see “check for admin” as an option! (Yes, I’m running version 5.5)

My admin userid is not “admin”. You should not have a userid named “admin”. I think the wording is unclear; it should read “the Administrative user id”. I was using admin userid to mean the user id that the admin uses to log in. I will change the wording to be clearer in the next release.

Sorry about the lack of clarity.

Keith

OK. Now I understand better and see where my confusion came from. Thank you.

BUT, I do not have a userid named “admin” yet the plugin is blocking those attempts that try to use “admin” as a userid. Why is this?

My admin account did have “admin” set as both nickname and public display name (I have just changed it). BTW, I have never seen a login attempt on my actual login id (which is a random string).

Thanks so much for your time, I’m finally understanding this better and seeing the errors in what I thought I understood before.

Before it blocks them, it checks the userid to see if it is an administrative user. It then checks the password. This prevents admins from being locked out of their own website.

I recommend that you uncheck this box when you are sure that you can log into wordpress without being blocked. (I think I say this on the settings page.)

It is set “ON” in a new installation, but should be unchecked when it is not needed. Then, anyone using your administrative id will be checked, even if they have the right password.

Keith

It is unchecked. Always has been.