All users are blocked

Resolved blakeofficial
(@blakeofficial)

6 months, 4 weeks ago

Our site had been repeatedly hit by spam login attempts so we reviewed the logs and added the repeat offender IP addresses to the “Denylist.”

After doing this, however, it appears that all users are blocked from logging in.

I found this information from the Limit Login Attempts Reloaded plugin directory page:

What do I do if all users get blocked?
If you are using contemporary hosting, it’s likely your site uses a proxy domain service like CloudFlare, Sucuri, Nginx, etc. They replace your user’s IP address with their own. If your server is not configured properly, all users will get the same IP address. This also applies to bots and hackers. Therefore, locking one user will lead to locking everybody else out. In the free version of the plugin, this can be adjusted using the Trusted IP Origin setting. In the premium version, the cloud service intelligently recognizes the non-standard IP origins and handles them correctly, even if your hosting provider does not.

The solution this presents isn’t helpful/doesn’t make sense to me because I can’t adjust the “Trusted IP Origin setting” without logging in…

What steps can we take to fix this issue?

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Support brucewayne25
(@brucewayne25)

6 months, 4 weeks ago

Hi, can you post information from the Debug tab? It sounds like you might have a misconfiguration on the server where your site is hosted.

Thread Starter blakeofficial
(@blakeofficial)

6 months, 4 weeks ago

@brucewayne25 what debug tag are you referring to? Point me in the right direction and I’ll be happy to share any information to help resolve this issue.

Plugin Support brucewayne25
(@brucewayne25)

6 months, 3 weeks ago

There’s a Debug tab under Settings of our plugin.

Thread Starter blakeofficial
(@blakeofficial)

6 months, 3 weeks ago

Sorry, but how can I view the debug tab if I can’t even log into WordPress? All users are blocked, nobody can log into WordPress. @brucewayne25

Plugin Support brucewayne25
(@brucewayne25)

6 months, 3 weeks ago

You can FTP to your site and rename the folder of our plugin and then you will be able to log in and reenable it.

Thread Starter blakeofficial
(@blakeofficial)

6 months, 3 weeks ago

@brucewayne25 That worked – it took a lot longer than I would have hoped (don’t use GoDaddy), but I am able to log in now. Such a relief.

My question now is: how do I actually block the IP addresses where all the hack sign-in attempts are coming from? Once I was able to log back into WP, I removed the IP addresses from the Denylist and I’m scared to add any back to it and have it result in another lockout. How can I proceed?

Plugin Support brucewayne25
(@brucewayne25)

6 months, 3 weeks ago

You can just white-list your office’s IP(s).

Thread Starter blakeofficial
(@blakeofficial)

6 months, 3 weeks ago

I just tested this with a colleague yesterday and it didn’t work. I whitelisted his IP and blocked all the nefarious IPs but he was still unable to log in. I had to remove all IP blocking as result.

It’s starting to seem like one of the key features of this plugin is broken. @brucewayne25

Plugin Support brucewayne25
(@brucewayne25)

6 months, 3 weeks ago

Can you paste the contents of your Debug tab? The part where IPs are.

Thread Starter blakeofficial
(@blakeofficial)

6 months, 3 weeks ago

@brucewayne25 here are the contents from the Debug tab:

HTTP_X_FORWARDED_FOR = IP0
HTTP_X_REAL_IP = IP0
HTTP_X_SUCURI_CLIENTIP = IP0
REMOTE_ADDR = IP1

Plugin Support brucewayne25
(@brucewayne25)

6 months, 3 weeks ago

You need to add HTTP_X_SUCURI_CLIENTIP to the Trusted Origins setting of the plugin so the IP addressed of your visitors are detected correctly. Right now your server is misconfigured and doesn’t detect the IPs correctly.

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘All users are blocked’ is closed to new replies.