How many attempts?

Hi David–

First off, thanks for your feedback! We’ve been hard at work on a number of major updates to the plugin, one of which will directly address this concern, and we can’t wait to unveil them.

In the mean time– it’s 10 failed logins before a lockout occurs. You are correct in saying that this will lock out the user across BP-protected sites

As an interim fix, you can make the following change:

To whitelist your IP on your site, change line 37 of bruteprotect.php from:

add_action('login_head', 'brute_check_loginability');

to:

if($_SERVER['REMOTE_ADDR'] != '1.1.1.1') { add_action('login_head', 'brute_check_loginability'); }

(replacing 1.1.1.1 with your IP)

Hope this helps!

Hi guys,

is it possibile setting the value of failed logins before a lockout occurs (on the admin plugin console or directly into the PHP code)?

Thank you

No– the number of failed logins is controlled by our API, it’s more than just X logins then a block– we use the data from the 10m+ failed logins we have logged to help determine if someone is a real threat, and we’ll keep refining this algorithm as we move forward.

Can you give any indication about the timespan you use for this count? (10 attempts a year or 10 attempts an hour make quite the difference.) And perhaps for the length of the lockout period?

I’d like to be able to tell my clients (more or less) exactly what plugins do.

Hi Daan–

At the moment, the algorithm is:
8 failed attempts in 8 hours = 8 hour block
15 failed attempts in 24 hours = 48 hour block
25 failed attempts in 7 days = 14 day block
40 failed attempts in 1 month = 2 month block
65 failed attempts in 1 year = 2 year block

We’re working on making this “smarter”– more details to come

Blocking anything for 2 years is probably unhelpful… IP addresses can get recycled quite a lot, particularly if they’re on VPS services. It’d be hugely annoying to buy a VPS to install a VPN server on, then find that you can’t log in to lots of WP sites because of a 2-year ban.

Ah, getting a 2 year block takes serious effort:
First you get a 8h block (8 failed
Then you get a 2d block (15 failed =2d,8h)
Then you get a 8h block (23 failed =2d,16h)
Then you get a 14d block (25 failed =18d,16h)
Then you get a 8h block (33 failed =19d)
Then you get a 2m block (40 failed =2m,21d)
Then you get a 8h block (48 failed =2m,21d,8h)
Then you get a 2d block (55 failed =2m,23d,8h)
Then you get a 8h block (63 failed =2m,21d,16h)
Then, after 2 months, 21 days and 16 hours of continuous hammering from the same IP, you get a 2 year block (which effectively resets everything).

It’s pretty hard to get to the point where you’ll be blocked for 2 years, but nonetheless there should be a ‘Unblock me’ feature somewhere. 25 failed attempts is not unthinkable, but being unable to login for two weeks is.

I would also suggest to start with some smaller steps. 8 failed attempts is not much, but blocks you for a nasty period. Perhaps start with 15m, then an hour, then rapidly build up to longer periods for the real bots.

A bit like this:
5 failed attempts in 15mins = 15 min block
10 failed attempts in 30mins = 1 hour block
15 failed attempts in 90mins = 1 day block
Etc..

It also seems important to give some feedback like ‘3 attempts left’.