johanee

Hi,

There are no known MU problems.

Do you get the “x retries remaining” message” if you try loging in with an invalid password?

If you contact me at [email protected] I’ll try to find out the problem.

You do not mention it, but please make sure that the connection setting on the plugin setting page is set to reverse proxy.

If you still have problems, please contact me on [email protected]

Do you have access to web server logs?

Could you find (grep) for “wp-login.php”?

Yeah, probably no proxy we need to be concerned about.

Is it shared IP hosting? Meaning you’ll probably have a shared SSL for example.

Ok, interesting. I’ll investigate this further.

I assume the site is not behind a reverse proxy on the same server?

Do you use HTTPS for the whole site, or only for login / admin?

I do not actually think it is possible to spoof a HTTP connection using the target IP, so the login attempt is probably made from the server itself.

Is it a shared server?

Make sure you have correct setting for reverse proxy.

If your site is behind a reverse proxy on the same computer (if you use Varnish for example) it will appear that all login attempts are from the server IP.

Please check the information in the site connection option on the plugin settings page.

(There shouldn’t be any passwords in the notification email, I guess you mean “last user attempted”)

If there are any lockouts active there is a button in the settings to remove all of them, though you cannot (currently) remove individual lockouts.

I do not recommend manual changes to the database unless you really have to, and know what you are doing.

My guess would be that you have some other filter that clears the error message. There has to be some error, or the box divs wouldn’t be shown.

To get the original error message and find which filters are registered you could try something like this:

<?php
/*
  Plugin Name: Debug Login Errors
  Description: Debug the login_errors filter
  Author: Johan Eenfeldt
  Version: 0.1
*/

// use the 'all' filter to make sure we get called first
add_filter('all','debug_login_errors');

function debug_login_errors($filter) {
	if ($filter != 'login_errors')
		return;

	$args = func_get_args();
	if (count($args) < 2)
		return;

	$error = $args[1];

	// Original error
	echo '<p>Original error:<br />';
	var_dump($error);
	echo '</p>';

	// Filters
	global $wp_filter;
	echo '<p>Filters:<br />';
	var_dump($wp_filter[$filter]);
	echo '</p>';
}
?>

Hi,

Once the plugin is activated there should be an option page under the “Settings” menu.

Something like:
https://<sitename>/wp-admin/options-general.php?page=limit-login-attempts

Nothing is shown on the dashboard page right now.

/ Johan

Hi,

I would strongly recommend against completely whitelisting internal adresses, for various reasons: insider attacks, wireless access, hacked desktops, etc. More lenient limits perhaps, but not complete whitelisting.

Anyway, I have actually gotten a few questions about this kind of thing.

I’m considering adding some filter hooks so that number of attempts and/or lockout time can be customized (perhaps based on IP). Would that work for you?

It would require you to create a small custom plugin with whatever logic you require.

Something similar could perhaps be done with the error messages.

Hi,

There is information here:
https://codex.www.ads-software.com/Managing_Plugins#Installing_Plugins

The easiest way to install is through the WordPress admin:
https://codex.www.ads-software.com/Plugins_Add_New_Screen

Hope that helps,
Johan

The reverse proxy setting on the options page will give you some additional information based on your connection details.

Use this information when doing the configuration and you should be fine.

Thanks for the report. This should be fixed in 1.6.2, sorry for the delay.

This issue is (finaly) fixed in 1.6.2 that was just released.

Is it only the message that is missing (do you still get locked out like you should)?

What other plugins do you use?