Login Whitelist Not Working

  • Resolved catalysts

    (@catalysts)


    7 years, 6 months ago

    After updating AIOWP Security last week from 4.2.6 to 4.2.7, our login whitelist setup stopped working. We had the following layers active:
    1. Renamed login page
    2. Enable Lockdown Feature
    3. Brute force > Login whitelist: set of IPs entered
    4. User Login > Login Lockdown > Ip Whitelist: matching set of IPs entered.

    The idea is that only staff knows the login slug, and they can only access WP from the set of pre-determined IP addresses. This was working until approximately the time of the update (no one noticed right away).

    A couple of days after the update, we discovered that no one on the whitelist was able to log into the WP dashboard. I’ve tried disabling all configuration options except login related ones, deactivating AIOWPS, and rolling back to 4.2.6 version but when any IP whitelist option is selected, it breaks login. If I disable the IP whitelists in sections 3 & 4 above) then there is no filter and anyone can access the renamed login URL…not what we want.

    It looks like a problem with the htaccess rule.

    <FilesMatch “^(renamedlogin)”>
Order Allow,Deny
Allow from domain.com
Allow from 127.0.0.1
</FilesMatch>

    [Moderator note: code fixed. Please wrap code in the backtick character or use the code button.]

    When this is inserted by AIOWPS, login becomes unavailable (403 Forbidden error). Do you have any idea why this may no longer be working? At this moment, all other plugin options are disabled.

    • This topic was modified 7 years, 6 months ago by catalysts.
    • This topic was modified 7 years, 6 months ago by bdbrown.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, you might want to reset the plugin settings and start again. Please read the following instructions.

    Let me know what happens.

    Regards

    I am having the same issue. When I remove htaccess rule with the IP’s I can login, otherwise I get a 403 at the rewritten login url. I am using cloudflare, and the generated htaccess rule seems to pick up and add the cloudflare IP. I tried adding the real IP of the webserver to the whitelist, but still get a 403

    <FilesMatch “^(xxx)”>
    Order Allow,Deny
    Allow from xxx.com
    Allow from xxx.xxx.xxx.xxx

    </FilesMatch>
    #AIOWPS_LOGIN_WHITELIST_END

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @adam320, can you start a new support thread.

    Thank you

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Login Whitelist Not Working’ is closed to new replies.