Lockout not working? (Loginizer)

  • Resolved bblake

    (@bblake)


    3 years, 2 months ago

    Our wordpress website is constantly being attacked, it seems, and so I have set the Loginizer brute force settings thus:
    Max Retries 3 Maximum failed attempts allowed before lockout
    Lockout Time 180 minutes
    Max Lockouts 2
    Extend Lockout 120 hours. Extend Lockout time after Max Lockouts
    Reset Retries 24 hours
    Email Notification after 2 lockouts
    We are getting many emails from Loginizer each day, and I just received the following email shortly after 2 lockouts.

    6 failed login attempts and 2 lockout(s) from IP 213.166.141.178 on your site :
    https://naeg.org.uk

    Last Login Attempt : 21/Dec/2021 11:35:44 +00:00 Last User Attempt : admin IP has been blocked until : 21/Dec/2021 14:35:44 +00:00

    I had expected the admin user id to be blocked for 120 hours, but find I can login as admin immediately – before even the stated time. Is the block only effective for the IP specified? I’ve read the instructions, and it doesn’t say so.

    So I clearly don’t understand what is going on, I am guessing there is a robot working its way through a table of popular passwords! So restricting the number of attempts seemed the way to go. Can anyone help – thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor loginizer

    (@loginizer)

    Hi,

    The IP is blocked not the username.

    So any attempt for any username from the blocked IP will be denied access.

    However you can login with the same username from your IP. This is allowed to make sure you are not locked out in case of such brute force attempts if you would like to make any changes from the admin panel.

    Thread Starter bblake

    (@bblake)

    Thanks – that explains why I can still login!
    Is the ‘extend lockout to 120 hours’ working as well? That doesn’t show in the email message.

    Plugin Contributor loginizer

    (@loginizer)

    Hi,

    It seems the email did not take the extended lockout time and instead used the standard lockout time. We have fixed the issue and will be including the patch in the next version of Loginizer.

    However be assured the IP was blocked for the correct time set in extended lockout. Only the time in email was wrong.

    Thank you for reporting the issue.

    Thread Starter bblake

    (@bblake)

    Thanks again – that’s great to know.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Lockout not working? (Loginizer)’ is closed to new replies.