Login in attemps

check this plugin
https://www.ads-software.com/plugins/limit-login-attempts/

Hi @omarkasem

I already try the plugin, but it shows the same capabality, the plugin/s that i search is if one user is lock for 30 mins then the other user can login or the admin..only the specific user will lock not all..

thanks again for the suggestion

you can try this plugin too
https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/
it’s a bit big but it has a feature that make you able to block the ip address of any failed login attempts.

thanks for the plugin suggestion, i tried the plugins but i thinks it is not my preferred plugins..

i had already a code for that but the problem is when he meet the attempt he will lock down and also the other user cannot login..

i need is only the specific user will lock out and the other user can logins..

but anyways thanks for the reply and suggestion

Can you be specific about what lock out conditions you want? Your last two objections seem to contradict each other. Custom coding something isn’t a huge endeavor if you have moderate PHP skills. There’s only a few data points that you can reliably use. The client’s IP address, which may be a proxy or load balancer. That’s OK, any IP behind that will not be reliable. The login name or email, and the current time and number of tries. Anything else can be spoofed. Your lock out scheme needs to work with only that data in whatever combination works for you.

The IP is important for distinguishing between brute force attempts against an administrator account and the true administrator. You ideally want to totally block one but never the other. You would of course block the attacker’s IP, but you might consider blocking the entire IP/24 range. Ideally, you would whitelist all of the administrator’s possible IP ranges, but determining what those may be is beyond the skills of average site owners. Attackers will be using multiple IPs, giving them many many tries if it’s important to not block legitimate administrator logins without any whitelisting. You could at least whitelist the IP/24 range the administrator is currently using when the plugin is activated, giving them at least one way in if their username is otherwise blocked by brute force attacks.

Whitelisting an entire range is usually necessary since most people’s Internet connection IPs are dynamically allocated. This introduces the possibility an attacker could be in the same range as the legitimate administrator. This is pretty unlikely, and they will still be limited by the number of tries before their specific IP is blocked. Sure, they can reconnect to get another IP, but that takes time, limiting the overall attempts allowed per time unit.

When you roll your own code, there are all sorts of specific strategies you can employ even within the limited data points. The lockout data can be stored as transients. When the transient expires, the lockout expires, so the normal login sequence would simply check for any matching transients. If none, the login may proceed.

hi @bcworkz

i already found a solution..the problem is when i fail 2 attempts then success for the 3rd attempt the fail attempt will be reset but in the plugin that i found it will continue meeting the attempt..

• This reply was modified 7 years, 6 months ago by ragnar22.
• This reply was modified 7 years, 6 months ago by ragnar22.

“it will continue meeting the attempt”
I don’t know what you mean by that. If the plugin is not working the way it should, I’d suggest you inquire through the plugin’s official support channel.

@bcworkz

if the two attempts to login is fail then the 3rd attempts is success the attempts fail will be reset back to zero in the login area

thanks

Yes, that is pretty typical behavior. Even legitimate users make mistakes. Of course they take more care when they are close to being locked out. If the counts are not reset upon success, they would forever be on the verge of being locked out. No one would like that situation, though it does improve site security.

What makes a difference is what counts are attributed to what information. If only to the user name, the attempts could be from a number of different people, only one being a legitimate user, if any. If the referring IP is also considered, the attempts are more fairly distributed, but each IP gets its own allocation of attempts so there are more available overall to a single hacker’s bot army. But then their attempts by IP are not (or should not be) reset when a legitimate user logs in from yet another IP but using the same user name.

In any case, if you do not like the plugin’s behavior, you should ask the plugin’s developers if there is any sustainable way to change it (i.e. through filter or action hooks). If not, you are faced with few options. Making your own private fork of the plugin, and missing out on any updates. Or hacking the plugin code and reinstating your hacks after every update, or starting afresh with your own bespoke plugin.

Hi..

thanks @bcworkz for the reply.