[Plugin: Theme My Login] Too many login attempts

I need to be sure I am understanding you correctly when you say the plugin is doing it’s job..

The user names that the log shows were locked DID NOT include MY admin user names (Remember I said I have two admin accounts I use).. Neither one of my user names contained the failed login attempts data, and yet BOTH of my admin accounts were locked too..

Is that the way the plugin is supposed to work??

All the user accounts get attacked, the admin accounts do not, the user accounts are locked (according to the table data), but the admin accounts are not (again according to the table data), YET the admins are unable to log in and the message given is that the account is locked due to too many login attempts..

Is THAT the way the plugin is supposed to work???

The data you posted is ALL of the security meta?

No.. What I posted was only the records in the usermeta table with the keys “theme_my_login_security”. None of these records were for my admin users.. there were 10 users altogether at that time. 4 admins and (at the time this happened) 6 registered users. Since then I’ve had one more registered user, but they were not affected by this as they registered after the fact..

Sooooooo… is there an answer/solution for what happened here????? or????????

Sorry, no. As previously stated, the code only logs invalid login attempts if they happen… and only “locks” out an account when the threshold defined in the settings is reached.

I understand how this should work, but that’s not at all how it worked on this site.. My 2 admin accounts were both locked out and they didn’t make 5 login attempts. The other site admins were also locked out and they also didn’t make multiple login attempts either. The data makes it look as if ALL the subscribers made multiple login attempts.. **shrugs**

I may have to look at a different option for this site.. The site is too busy to have to address mass lockouts on a regular basis.. Plus I think tha I need to enforce strong passwords for accounts on this site.. The one plugin that adds strong password enforcement looks like it will clash with Theme My Login..

Anyway.. Thanks for your response..

Personally I was recommended this plugin by Bullet Proof Security, as I use their plugin plus also use Limit Login Attempts. I installed it in 11 websites yesterday, and all work well. I’ve been adding extra security as their is a rash of automated scripts trying to break into people’s WP installations.

What I’m gathering, for those that experience “admin” lockouts, first of all, you should never have your /yourdomain.com/wp-admin or wp-login.php where your default username is “admin.” You’re asking for trouble if you do. If you do a search, you can find out how to change that if you have it set up that way. I’ll give you an example, a specific IP address tries to login, get’s locked out, especially if you use “Limit Login Attempts” plugin, then you install this beautiful plug-in, and you will immediately be locked out.

If this happens, always use two browsers when adding plugins, i.e., Google Chrome and Firefox, keep both open in admin. After installing a plugin, do not activate until you open your other browser to your plugins in admin, then activate the plugin in one browser, test it, if it doesn’t work, delete it from the other browser–or you can FTP and delete it if you prefer one browser.

So bottom line, if you add Jeff’s beautiful plugin, make sure you reset your “Limit Login Attempts” so you don’t get locked out if you have blocked people of the LLA plugin. I also found out you can run both, I have both turned on, both with different settings.

Of note, I also renamed my “login” page this plugin creates, plus renamed the URL when editing in page edit mode, i.e., instead of yourdomain.com/login it’s something like yourdomain.com/come-on-in/ or whatever you prefer. I also renamed, not deleted, so if I need it later it’s there, the wp-login.php file to something like wp-login.phpSaveForEmergencies

So now I have several layers of protection. If a hacker goes to mydomain.com/wp-login.php they get page not found. If they go to mydomain.com/wp-admin obviously they are redirected, but that might mean they will have to work harder as I have a weird name for my login/logout page. If they break in past Limit Login Attempts, they have to break in past Theme My Login page security. Not to mention I have installed Bullet Proof Pro so that adds a steal front door to begin with. You might also look at SpamTrawler too, it’s not a WP plugin and it’s installed in your server root directory, but it protects WP, Socialengine, Vbulletin, etc., anything on your site from spammers, but you can also block countries out too!

Every bit of protection helps and this plugin is just one layer, but the more layers you have, the better off you arre–and that’s layers on your server and your WP installation, not just WP. Just my thoughts and I bought my products and am not employed by products mentioned here. Thanks!

rolandogomez – While I appreciate your comments, nothing you’ve suggested/posted seems to apply to situation I am reporting in this topic..

The site that is the subject of this topic does indeed have Bullet Proof Security installed. There is no administrator account named “admin”. Even if there was an “admin” account, BPS won’t clear all of it’s readiness checks unless and until you rename the “admin” account to something else.

I do not have the Limit Login Attempts plugin installed so that is NOT a factor either on this site.

I GET that this was a hack attempt.. what is UNCLEAR is why ALL the user accounts were locked out particularly when the log files indicated that they all did not attempt to login let alone exceed the number of attempted logins. My personal admin accounts on this site are OBSCURE so I doubt a hacker happened to guess it. Let alone guess EVERY SINGLE USER NAME then attempt to login using each user account..

So let me summarize what happened:

1. Both of my personal administrator login accounts to this site were locked out for exceeding the number of login attempts even though I had not tried to login using either one of my administrator accounts.
2. The other two site administrator accounts were ALSO locked out even though they had not attempted to login in let alone exceed the number of login attempts.
3. NONE of the administrator accounts are named admin
4. the site had BPS installed BEFORE I reported this issue.
5. This is the ONLY client site that has this same mix of security plugins where I have this issue.
6. The lockout lasted LONGER than the threshold I set for lockouts and so the ONLY WAY to release the site was to delete the Theme My Login plugins folder.
7. When I attempted to installing a fresh copy of Theme My Login it resulted in the EXACT same lockout occurring as soon as I logged out of the admin and attempted to log back in.

Since there doesn’t seem to be a clear reason why this happened, I have had to remove Theme My Login from this site. I have installed a different plugin to instead enforce strong passwords for accounts on this site.. The one plugin that adds strong password enforcement looks like it will clash with Theme My Login (overlapping features).. So no more Theme My Login on this site.. I also added a login tracker plugin so I can SEE what’s happening, and so far with the exception of a stray bot trying to login using “admin”, there have been no more issues with mass lockouts on this site..

I need to note that this ONLY occurred on this site.. other sites where I have the same mix of plugins are not misbehaving..

DivaVocals,

Thanks for the explanation. I’m no programmer or coder, I get by ?? Funny how this only happened to one site, obviously something is conflicting. I’ve been buttoning down the hatches with everything I know because there are tons of bots running around trying to login as “admin” and of the 11 sites I manage, they’re constantly getting hit–so I set the login attempts to two tries, two times locked out for 1440 hours ?? It’s working. It’s a crazy hackers world out there and any layer of protection is better than none. So far all 11 sites are using Theme My Login perfectly. I wish you the best, rg.

Deleting the plugin would not remove the locks, as they are saved in the DB. You would have to delete each of those meta values that you posted.

Also, the lock isn’t cleared for a particular account until it is successfully logged in after the expiration time or manually cleared.

Yes Jeff I understand.. but accounts that weren’t supposed to be locked were indeed locked, and that is the issue I had.. Also the locks did not expire so everyone remained locked out (even the accounts that should not have been locked out..)

Had the same issue is described here. Not sure how I managed to hit so many failed login attempts … probably someone try to hack in!

At any rate it locked me out. To get back in just edit ‘theme-my-login/modules/security/security.php’

Replace this …

if ( $time > $expiration )
					$this->unlock_user( $userdata->ID );
				else
					return new WP_Error( 'locked_account', sprintf( __( '<strong>ERROR</strong>: This account has been locked because of too many failed login attempts. You may try again in %s.', 'theme-my-login' ), human_time_diff( $time, $expiration ) ) );

With this …

$this->unlock_user( $userdata->ID );
				/*if ( $time > $expiration )
					$this->unlock_user( $userdata->ID );
				else
					return new WP_Error( 'locked_account', sprintf( __( '<strong>ERROR</strong>: This account has been locked because of too many failed login attempts. You may try again in %s.', 'theme-my-login' ), human_time_diff( $time, $expiration ) ) );*/

You’ll now be able to log into your admin and make changes to the plugin etc.

Thanks Oliver.Ibanez, this worked for me now.
how can i see the attacker ip address?

Wow, I just had the exact same issue. Thank you Oliver.Ibanez, this worked for me now too! 23-Jan-2013