stevegantz

Thanks for the quick reply. For some reason the rewrite statements didn’t work in .htaccess but when I moved them to default-ssl.conf they work as expected. Definitely an Apache configuration issue and not an AIOWPS issue.

Thanks very much for testing the plugin combination and providing the technical explanation for what both plugins are reporting. I agree with the implication that Sucuri is essentially reporting false positives, in the sense that its brute force attempt alerts do not indicate an exploitable situation with WordPress.

I’ve seen the same sort of activity, where AIOWPS reports a locked out IP address with a single failed attempt (for using an invalid username) but Sucuri logs show five attempts from the same IP with same invalid username but different attempted passwords. Sucuri doesn’t have a setting to limit the number of failed logins, so that limit is applied by AIOWP. It looks like AIOWPS is correctly locking out IPs after 5 failed login attempts but not enforcing the immediate lockout for invalid usernames.

Is your WP site hosted locally, or by a hosting provider? If your server isn’t on the premises, then no matter what IP address your desktop and laptop are using inside your network, they probably reach your website with the same external-facing IP address. That would explain why you were locked out when you attempted to login with a different username from your laptop. In a typical home network (and many office network setups) all devices connected to the network router (or wireless access point) share the same external-facing IP address (the one your ISP assigns to you).