Something not right with Limit Login Attempts

Thanks for reporting this. There is no “continuously refreshing” or “reload the page over and over” on the login page when a user is blocked. That would just be useless. It will just show the lockout message and full stop, no reload.

Do you have any other plugin or code snippets that modifies the login page / process somehow? That might explain the issue you are seeing. e.g. you use another plugin to change the login URL

IP whitelisting is available on the Pro version. Not quite an ‘unblock’ button for a locked out IP, but you can copy paste the blocked IP to the whitelist section and the user on that IP address should be able to see the normal login form again.

First, I dont like being called a lying. Its also not good for business.

With YOUR plugin turned on, there was a window.location.reload() script immediately after the title.

I have NO other plugins that touch the homepage.

After ONLY turning of Limit Logins. the Script was there again. I even replicated to make sure.

The IP used was blocked by Limit Logins, and when turned on, I got the constant reloading the Login page.

After turning it OFF, I got the actual login page to load.

No one is calling you a liar. Please calm down.

What I said was: There is no “continuously refreshing” or “reload the page over and over”. Emphasis on the ‘continuously’ and ‘over and over’.

Here’s the exact code with the window.location.reload(): https://www.imagebam.com/view/MESAYO5, which only should reload the page once.

If you’re seeing repeated/endless reload, then something is wrong, and it’s not expected behaviour. Which is why I was asking if you have any other plugin/snippet that is modifying login page / behavioiur. This is just standard question to rule out possible causes to the issue.

So, I tested with a fresh install of WP via InstaWP, and only install ASE there and activate the Limit Login Attempts plugin. I purposefully login with the wrong username/password three times and got locked out, and presented with the lockout screen. No continuous reload of the page. You can test this yourself at InstaWP (free account is enough).

What this exercise tells us is that there is nothing wrong with the Limit Login Attempts module in ASE under normal conditions. The lockout works as intended.

Another thing you can try is, disable all other plugins in your site, but leave ASE and LImit Login Attempts on, and test if you still see the issue. In which case, there is something in your installation/setup that seems to be causing it. What exactly that is, is what we need to find out through our next replies.

That is the code.

How does that NOT continuously reload the page? There is no conditions to stop the reload.

If I go to a page with that code in it its going to reload the page, wheich then sees that code again, and reloads the page, over and over and over.

Exactly what it was doing.

Yes. There is a check, the parent ‘if’ conditions. Not the prettiest of code, but it should work, and is working on my test sites.

Have you tried deactivating all other plugins in your install, and leave ASE on?… and verify that the issue persists?

Wasn’t going to come back as I figured it wasn’t worth the argument with the developer. I have 25 years in IT, have used WordPress since version 3. something, so I know how to debug and so forth.

First, make sure your client isn’t being blocked on the server side. My hosting has mod security, and because of this issue with the reloads the hosting detected it as a security issue and blocked the IP. Looking at your plugins, besides ASE, not a single one of those are the same as me, and after my testing, it isn’t another plugin doing it. I am also using the Blocksy Pro theme.

I got as far as finding out that there is supposed to be some script before the reload that determines showing the pinkish error page, but when I had the issue, it was not in the source. Only the window.reload script was there, which of course causes the constant reloading. Just haven’t worked out why the rest of the script wasn’t there. I believe that some very specific situation happened that caused the page to load without the rest of the scripts for the error page, and then browser cache takes over for a moment, ASE blocks the IP, then hosting blocks it and so forth. Snowball effect.

i solved mine by disabling the blocking in ASE, had my hosting techs constantly removing my blocked IP on the hosting, then me clearing CloudFlare cache and browser cache a few times and then I managed to get the login page to load again. I then did a successful login, and so far have been able to turn ASE blocking back on with no problems since. But after now seeing others having and issue, I am no longer confident mine will stay working now.

Thanks for the additional info @andreawriessnegger and @eangulus. I’ll investigate this further. Meanwhile…

—

Here’s another user reporting a similar issue:

Whenever I turn on the security feature to lockout for 15 minutes after 5 “failed” logins, I cannot log into my wordpress site (I’m the owner/admin) – even using the “W” icon directly from my Dreamhost panel. The Dreamhost team can, but I cannot.

When I turn this security feature off, the problem is instantly resolved … no issues logging in/out repeatedly. But again, once I put it on, I cannot log in from any of 4-5 different devices (desktops, laptop, tablet, phone) trying two different browsers, deleting cache/cookies, etc.

I suspect there’s something like an auto “refresh” taking place that quickly clocks in 5 failed logins. Why my admin name/password would be treated as a failed log in remains a mystery to me.

This may be the result of some strange interaction between my site, other plugins, and your wonderful ASE plugin. But if I’d feel remiss if I didn’t bring my experience to your attention.

—

Another user reports the following as well:

Hi, after reducing both fields to 1 and 1, the login page reloads itself endlessly. We have to increase both values to 2 and 2, then the endless loading is gone. please check.

our workaround is: deactivate javascript in browser.

—

Will report back here if I manage to replicate the issue and maybe find a fix. Your patience is appreciated.

Here’s from a user that reported the issue, quoted above “I cannot log in from any of 4-5 different devices (desktops, laptop, tablet, phone) trying two different browsers, deleting cache/cookies, etc.”, after testing v6.9.2:

I just updated to your latest ASE revision, re-enabled the lockout security feature with default settings saved, and logged out.

Result: No problem at all now logging back in (using various user ids). The browser is no longer flashing (apparent attempt to redirect to itself?) . In short, the misbehaving issue I’d experienced when engaging the lock out feature previously is now gone.

At least in my limited immediate testing, the issue would seem to be fully resolved!

Closing this ticket as the issue has been resolved.

I have experienced the same problem with Limit Login Attempts Reloaded Version:?2.26.9 just as of today, and on numerous websites that I manage.

Most I have not logged into for days or even weeks, but I get the “too many failed logins” message the very first time I try.

I have had to disable the plugin on 72 websites!

It seems to me to be directly related to the latest WordPress core update.

Is it possible the plugin has become incompatible?

@oak-web can’t say anything about Limit Login Attempts Reloaded plugin as I’m not the developer. Did you try out ASE’s Limit Login Attempts module?

• This reply was modified 6 months, 3 weeks ago by Bowo.
• This reply was modified 6 months, 3 weeks ago by Bowo.