Locked out even if whitelisted

  • Even like before I was locked out of a site by the plugin when I entered a wrong 2 Factor Authentication code on the login screen. What is really strange is that I did the incorrect 2FA code on my first login attempt. I then proceeded to enter a valid 2FA code on the second login attempt and got access to the site. Only then when I attempted to go to the Dashboard did IP-GEO block me. I used the emergency access option in the PHP file. Once in I checked any my IP address is in IP-Geo whitelist.

    I have had to keep the emerg access in place since the plugin is blocking me from logging in. This even after I cleared the WP-Cache for the site.

    Question is why is this plugin blocking me? The number of failed attempts for each IP is 3 and I only had one failed attempt. Only way I can disable the emerg access option in the plugin and still be able to login via 2FA is if I set the number of failed login attempts block to DISABLED.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @frustrated999,

    I’m very sorry for your lockout so many times. Honestly speaking, 3.0.4.1 have a bug of blocking login attempts. The counter of login fail would go 1, 3, 5, … So if you configure “Max number of failed login attempts per IP address” as 5, then you would be lock out at 4th.

    Father more, the internal priority of whitelist for country code and IP addresses is the lowest priority to block malicious access against the plugins/themes vulnerability.

    I’ll release a new version next week.

    I’d deeply appreciate the patience m_(. .)_m

    Thread Starter frustrated999

    (@frustrated999)

    I am getting frustrated with this plugin. I went to login to one of the websites I used on it and again got locked out.

    I have 5 set to max attempts I have IP whitelisted which I find does nothing to prevent lockouts. Only other security plugins I use is

    WordFence Version 6.3.17
    iThemes Security Version 6.5.1

    I am also using Cloudflare caching and have disabled WP Supercache plugin.

    There is no use having this plugin if I can not reliably login to the websites to do maintenance on them.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @frustrated999,

    I am also using Cloudflare caching

    How do I cache static HTML?” says:

    If the Cache-Control header is set to “private”, “no-store”, “no-cache”, or “max-age=0”, or if there is a cookie in the response, then Cloudflare will not cache the resource, unless a Page Rule is set to cache everything and an Edge Cache TTL is set.

    When IPGB blocks something, it outputs a message by HTML and also Cache-Control header as no-cache, must-revalidate, max-age=0 (and also define DONOTCACHEPAGE for caching plugin).

    But if your configuration of Cloudflare caching meets the above conditions, you’ll see the blocking HTML after someone is blocked.

    Please check your Cloudflare configuration.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Locked out even if whitelisted’ is closed to new replies.