Failed Login logs – how to save before resetting

Sorry for the delay, I saw this ticket weeks ago but forgot to reply early; I hope this may help you and other people in case that someone else needs the information.

The security logs are stored in this directory [1] and more specifically the information associated to the failed logins is stored in this file [2]; additionally you can find this other file [3] with old failed logins. These are plain text file with JSON-encoded lines that you can easily pass to a table.

[1] /wp-content/uploads/sucuri/
[2] /wp-content/uploads/sucuri/sucuri-failedlogins.php
[3] /wp-content/uploads/sucuri/sucuri-oldfailedlogins.php

Thank you very much for the info. So when I choose to “reset the logs”; does it just overwrite the “sucuri-oldfailedlogins.php” file with items in the “sucuri-failedlogins.php”? Or does it empty both files and then starts collecting from that point?

If you “reset” the logs the plugin will delete both files. The “sucuri-oldfailedlogins.php” file keeps a copy of “sucuri-failedlogins.php” only when you activate the reports for brute force attacks, in this case if you configure the plugin to consider a brute force attack after more than 120 failed logins per hour and during that hour it only detects 100 then the main file is reset and its content is moved to the old file as a backup. This was added as a precaution as some times people may need to have a copy of the failed logins of the last hour even when they were not part of a brute force attack.