instant lockout feature locked out whole office's IP range?

  • Resolved nellgwyn

    (@nellgwyn)


    9 years ago

    Hello,

    I searched through the other support threads, but didn’t see anything quite like this. Our website has the “instantly lockout invalid usernames” option turned on, and it seems to have had an unexpected result. Here’s what happened:

    A user in our office tried to login to the site and misspelled his username, so his computer got locked out (as he should have). He went to the website manager, who tried to login on a different computer using her correct login info, but also got locked out. They then went to the IT guy, who was on a third different computer, to see if he could login – and he was already locked out before he’d even attempted to login at all!

    All 3 of these computers were on different IP addresses, so the IT guy should have been able to at least try to login, but it seems that the entire office’s IP range had somehow gotten locked out that day. AIOWPS is the only plugin we have installed that has any lockout features enabled, so it seems like the most likely reason for this. We do have the Sucuri Scanner plugin installed, but that doesn’t have any lockout capabilities and thus seems unlikely to be related to this issue.

    We’re trying to figure out what exactly caused the mass lockout so that we can prevent anything similar from happening in the future. We get a lot of hack attempts that try invalid usernames (e.g. “admin”, etc), so we’d prefer not to turn that feature off. Has anything like our situation been reported before? Any help or tips on this would be appreciated!

    Thanks!

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, reading all your information above leads me to believe the following.

    The reason why you could not log in from any computer even if they had a different IP address is because the username was locked. Judging from your explanation above all three tried to log in using the locked out username credentials.

    If the above is correct then the following applies.

    If a username becomes locked out then no one can log in using that user name from any where while it is locked. This is the way this option works.

    The locked out period is applied in accordance to the following settings Time Length of Lockout (min):.

    If you are receiving too many admin logins, have you considered one of Brute Force rename login features?

    Thread Starter nellgwyn

    (@nellgwyn)

    Thanks for your reply, and sorry for my delay.

    All three people (the initial user, the website manager, and the IT guy) were using their own usernames – nobody was sharing login info. Sorry if that wasn’t clear before. Our confusion stemmed from this seemingly being a blanket lockout across the office’s range of IP addresses, which also extended across multiple usernames.

    We actually do have several Brute Force options enabled – the site login page is renamed, we have a captcha on the login form, and we have the honeypot enabled.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, thank you for reporting back with the extra information. Do you by any chance also have your IP address White listed in the plugin?

    Thread Starter nellgwyn

    (@nellgwyn)

    No, we do not have any Whitelist features enabled.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    What User Login settings do you have enabled?

    Thread Starter nellgwyn

    (@nellgwyn)

    For User Login settings, we have these enabled:
    -Enable Login Lockdown Feature
    -Allow Unlock Requests (but this was added after the mass lockout incident)
    -Max Login Attempts = 4
    -Login Retry Time Period (min) = 3
    -Time Length of Lockout (min) = 120 (at the time of the incident; now it’s 30)
    -Display Generic Error Message
    -Instantly Lockout Invalid Usernames
    -Notify By Email

    Thanks!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Can you disable the Time Length of Lockout just for testing purposes. Also make sure the cache is flushed in your network. Then try to lock yourself out on purpose. See if the other users can log into the website with their own user login.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, is your issue resolved?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    I am marking this thread as resolved. No replies in 3 months.

    Thank you

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘instant lockout feature locked out whole office's IP range?’ is closed to new replies.