Had to disable plugin due to total lock out

Sorry about this trouble and your inconvenience.

I’d like to ask you to regain this plugin (with ip_geo_block_emergency) and let me know the log of this plugin at the moment you were locked out. I think you can find it at “Admin area” on Logs tab of this plugin’s option page.

“Request” and “Result” in the logs are very helpful to identify this issue.

And if you find “wp-zep” in the “Result” column, I’d also like to ask you to disable “Prevent Zero-day Exploit” feature at “Admin area” and then try again with ip_geo_block_emergency deactivated.

For my side, I will check WF and iThemes.

I really appreciate your cooperation.
Thank you for your help.

If I white list my IP address which had changed it still does not help the issue. I was using 2.2.9.1 without any issue before this.

I looked through the log files and all of the Result column always shows Limited.

This is one of the lockouts even with my current IP address whitelisted:

GET[80]:/wp-admin/options-general.php?page=ip-geo-block&tab=4&ip-geo-block-auth-nonce=219b1bdf58

Someone had asked me last night in another forum if this is using MaxMind database for Geo lookup. This install is indeed using MaxMind is that where the issue is?

Hi, good information @frustrated999.

The symbol “Limited” is introduce to 3.0.0. It means that “The number of Login attempts reached at Max number of failed login attempts per IP address“. In this case, all activity would be blocked unless IP address cache is expired or cleared (by pushing “Clear now” button on Statistics tab).

That’s why you were locked again after you deactivate “ip_geo_block_emergency”.

Actually, I changed the design of code around the evaluation of failed login attempts. So there seems to be a bug that I have to fix.

I’m sorry but I have to recommend you to use 2.2.9.1 while I investigate the cause of this issue and fix it.

Thanks in advance.

I would go back to 2.2.9.1 but I find no way of redownloading that version of this plugin

Figured out how to download 2.2.9.1 and install it.

Hi @frustrated999,

I found a scenario that causes this issue.

I assume that your IP address is assigned dynamically by your Internet Service Provider. When you are logged in your site but leave it for a while, and during this period if an attacker attempts to login with the same IP and reaches the “Max number of failed login attempts per IP address” (default is 5), you may be locked out.

This scenario is unlikely to happen. But it’s definitely an issue. And version 2.2.9.1 also has the same issue. So currently, I’m making a countermeasure to warn administrator in order to avoid blocking during login like this:

I’ll keep to find another cause that is more directory related to this issue. So please keep watching this thread.

I appreciate your kind tolerance.
Thanks.

Yes I am on a dynamic IP address however the IP address rarely changes and the only time I have seen it changed is if I reboot the ISP’s router here. This may have happened recently

In the past I have tried to whitelist my IP address whenever possible in security plugins due to the rather static nature of my IP addres. However when I got back into this particular plugin I believe it was showing an older IP address. Even changing it to the current IP address however did not solve the issue I reported.

Only reverting back to the 2.x version allowed me to use the plugin without employing the security lockout procedure in the php file. This issue only occurred once I upgraded to the 3.x version and I believe it was right after I performed the upgrade to 3.x from the 2.x version.

• This reply was modified 7 years, 11 months ago by frustrated999.

Sure, I think the most important fact is that you were locked out right after you updated this plugin.

In the past I have tried to whitelist my IP address whenever possible in security plugins due to the rather static nature of my IP addres. However when I got back into this particular plugin I believe it was showing an older IP address. Even changing it to the current IP address however did not solve the issue I reported.

In 2.2.9.1, if the number of login attempt reached to the limit, it was always prior to the whitelist of extra IP address. So I should re-design the priorities amount the internal rules.

Just to be sure, I’d like to ask you something.

– Is your site behind the proxy?
– Are you using some plugins using xmlrpc such as Jetpack?

You know that xmlrpc can accept a pair of user name and password. If those were invalid, then this plugin would regard as login attempts.

This issue suggests me some important things. I deeply appreciate your report.
Thanks.

• This reply was modified 7 years, 11 months ago by tokkonopapa.

The function with show to other page is cool, but this addon make all logins send to that page.

I had to deactivate IP_geo_block, but hope to see it come back in full functionality.

but this addon make all logins send to that page.

Absolutely NO, but only for the IP address of a user who are logged in.

OK, I’ll do my best!

It is is using WP Super Cache plus a couple of other security plugins but jetpack is not isntalled. I find it extremely unlikely that an attacker used my prior IP address since I get reports via the other 2 security plugins of attempted logins which are locked out for a period of time and none of them were even on my ISPs IP range.

Hi @frustrated999,

Thank you for additional information. Based on it, I examined http load testing using apache benchmark command. With this command I emulated login attempts (at about 700 attempts per minute) with differnt IP address from admin’s.

One of the main difference between 2.2.9.1 and 3.0.0 related to this issue is the cache system for the fetched IP address. In 3.0.0, it is done at shutdown process, while in 2.2.9.1 it is done just before respond to the attacker.

And I had an unreasonable error in 3.0.0 while I examined load testing many times. So I assume that caching at shutdown might potentially be unstable especially under the condition of high load on server.

At least one thing I should do is to make the cache timing reverted as same as 2.2.9.1.

Anyway, I really appreciate you to take your time for this issue.
Many thanks!

• This reply was modified 7 years, 11 months ago by tokkonopapa.

Thank you for your response.

How about such as binary search algorithm is?

I assume that you can get the following strings as “Bad signatures in query” using “Best settings” button:

../,/wp-config.php,/passwd
curl,wget,eval,base64
select:.5,where:.5,union:.5
load_file:.5,create:.6,password:.4

Then you can divide these strings into 2 groups:

Group 1:

../,/wp-config.php,/passwd
curl,wget,eval,base64

Group 2:

select:.5,where:.5,union:.5
load_file:.5,create:.6,password:.4

And then you can check if each group has this issue or not. For example, if you find that Group 1 has an issue to save a form in Gravity Forms, then you can divide Group 1 into 2 groups and repeat again in the same way:

Group 1-1: ../,/wp-config.php,/passwd
Group 1-2: curl,wget,eval,base64

At last you can get only one string.

I’m sorry this method annoys you a little but I think it is still reliable.
I’d deeply appreciate you if you try.
Thanks!

• This reply was modified 7 years, 10 months ago by tokkonopapa.

Well it happened again. I got locked out on my login page because I mistakingly entered my 2 Factor Authentication code in the username rather than the field for the 2 Factor Authentication Code. I had a frustrating time getting back in even after FTPing in.

I could of had a brain fart but I thought I followed the instructions as shown under

I was locked down. What shall I do?

But either the plugin code did not like the changes to this PHP file or the site would not load at all. I had to rename the PHP file entirely which caused the plugin to be automatically deactivated.

Version is 3.0.2

P.S.
The instructions here at under I was locked down. What shall I do?

Show slightly different commenting in the emergency code than what is shown in the referenced page here it is just helpful to have the example shown agree between the two pages so that when one is locked out the actual comment we have to change is clearly understood.

I think that is in part what my problem was in this instance. I did not know what exactly to change.

• This reply was modified 7 years, 8 months ago by frustrated999.

Hi @frustrated999,

Well it happened again. I got locked out on my login page because I mistakingly entered my 2 Factor Authentication code in the username rather than the field for the 2 Factor Authentication Code.

You mean it was different from the original issue that we discussed before, don’t you? Or another issue? How is your original issue? Do you have experience it frequently? I had spent a lot of time to try to solve this issue and actually made prompt measures into 3.0.1. But you responded nothing against the last thread. That’s my frustration.

But either the plugin code did not like the changes to this PHP file or the site would not load at all.

Sorry about that. Actually, both FAQ and Codex looks different slightly but I expected every user to understand how to comment out a line in PHP file. But I was wrong. That was my arbitrary assumption.

For the time being, please refer to FAQ not Codex, and edit your ip-geo-block.php using a right text editor.

I have no time now but I’ll improve the description of codex.
Thanks for the heads-up.