Login Limits Begin Counting Behind Varnish & Reverse Proxy

  • Nick

    (@pilotnick)


    8 years ago

    Hello,

    We’re testing your plugin on a development server with Varnish, and NGINX reverse proxy enabled. We have even tried to disable Varnish entirely, but the problem still happens. So it doesn’t seem to be directly related to Varnish.

    It seems like when anyone navigates to the login page the login limit attempts begin counting down. This happens even when simply refreshing the page, without physically typing in a username and password. We can leave the login form blank and simply keep refreshing the admin login page and the login attempts begin to count down.

    Example… We started at 15 login attempts allowed. But refreshed the page 5 times. The login form will show that we only have 10 login attempts left. All without ever inputing a login attempt (using a username and password and hitting enter to submit the login form).

    I would understand that the login attempt should only be counted as a login attempt when someone physically enters data into the login form and hits enter. Not by simply visiting the page. Which is what is happening. Any time someone visits the page, the page visit is being counted as a login attempt. Thus deducting a login attempt from the allowed logins we have prescribed.

    Can you please tell us why this is happening?

    • This topic was modified 8 years ago by Nick.
    • This topic was modified 8 years ago by Nick.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author gioni

    (@gioni)

    Hi Nick!

    That’s very strange situation. You have go to Activity tab and check all those attempts you (or something) have made. They must be recorded. Any attempt to log in must be recorded with IP and username. Were they?

    The plugin itself cannot be source of those attempts and it does not count any visit as an attempt.

    Thread Starter Nick

    (@pilotnick)

    Hi Gioni,

    It’s registering. The plugin itself seems to be registering the actual visits to the login form as an attempt. It is being recorded in the activity. However, it’s not showing a username. It’s only showing the IP address of my internet connection and the hostname of my ISP.

    • This reply was modified 8 years ago by Nick.
    Plugin Author gioni

    (@gioni)

    The plugin records only real attempts to log in. If an empty form has been submitted, the plugin ignore that. You may send me a screenshot of your activity tab with those attempts here: https://wpcerber.com/support/.
    Also you may use the Browser console to check what requests have been made by your browser or probably some JavaScript that has been added to the login page somehow by some plugin. Go to Network tab in the console and inspect all the traffic that goes to the login page.

    • This reply was modified 8 years ago by gioni.
    Thread Starter Nick

    (@pilotnick)

    Actually. One thing I might add is that we’re also using Google Authenticator for WordPress by Julian Libeuf. I believe that this plugin may be causing the issue. Would you be able to test this with your development environment and let me know what you find? This has to be the cause. We have tried everything that we can think of.

    Plugin Author gioni

    (@gioni)

    I believe too, because that plugin should interact with WordPress authentication process tightly. Be aware that plugin updated 2 years ago, anyway. You can easily make sure that cause is that plugin by temporary deactivating it. Sorry, I have no time for setting up environment for Google Authenticator and perform compatibility tests right now. I’m working on the next version of WP Cerber.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Login Limits Begin Counting Behind Varnish & Reverse Proxy’ is closed to new replies.