Not locking-out after one failed attampt

  • My Brute force settings:

    Max Retries: 1

    Lockout time: 10000000

    Max Lockouts: 2

    Extend Lockout: 24000000

    Email notification: 1 lockout

    What am I doing wrong? In the log I see several 1 failed login attempts from several different IPs however “lockout Count” shows “0” from the single failed attempt. The option says maximum failed attempts before lock-out and I have set to 1, my understanding is only one try and they should be locked out. Do I need to set the max retries to “0”? Also to confirm, upon a single failed attempt are they locked out for the 10000000?

    I am also not getting email notifications.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor loginizer

    (@loginizer)

    Hello,

    No you are not doing anything wrong, So as you see you have set Max Retries as 1. So its the count of retries you want to allow. That means that after first failed login how many retries you want to allow your users to make. So 1 Max reties converts to total of 2 login attempts. And you can not set Max retries to 0.

    So what is happening is the IP’s that are trying to login is just trying for a single time, hence those IP’s wont get Locked out for a single Login attempt.

    What you can do is blacklist all those IP’s which you feel are malicious and they will be blocked from Login forever.

    And yes once the user gets locked out it will have to wait for 10000000 minutes to get another chance to make a login attempt.

    I hope that answers your queries.

    Regards,

    Loginizer Team.

    Thread Starter handydandy

    (@handydandy)

    Hi,

    Thank you for your promt response. OK so my next question is, how long do the IPs have to wait after the first failed login to try a 2nd attempt?

    Plugin Contributor loginizer

    (@loginizer)

    So the retry can happen immediately, Loginizer will only block if the user is under lock-out or is blacklisted.

    Thread Starter handydandy

    (@handydandy)

    Thank you! I have noticed every attempt has been to the “xmlrpc.php” of the website, would it be safer to disable that?

    • This reply was modified 2 years, 2 months ago by handydandy.
    • This reply was modified 2 years, 2 months ago by handydandy.
    Plugin Contributor loginizer

    (@loginizer)

    Hello,

    Yes it would be safe to disable xmlrpc.php. As it can be used for Brute force attacks so it’s better to disable xmlrpc.php.

    Regards,

    Loginizer Team

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Not locking-out after one failed attampt’ is closed to new replies.