Locked Out

  • Resolved melric

    (@melric)


    10 years, 7 months ago

    http://www.rfhfitness.com

    I am having the same problem experienced by other users, in that the plug-in has locked me out and seems to be treating me as an attacker. Below is a step-by-step account of what happens. (The screenshots are available, but I don´t know how to attach them.)

    Attempt login with username and password stored in Roboform

    Receive reset notification on screeen (RFH – admin.png)

    Submit with what I believe to be the correct username

    Receive confirmation message on screen that reset link has been sent by email (RFH – admin confirmation link.png)

    No reset link received

    Try to request reset link again with various likely email addresses [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

    Receive error message on screen – password reset not allowed for this user (RFH – admin reset not allowed.png)

    Request reset link again with possible email address

    Receive reset link with username “test” – RFH – admin test Password Reset.pdf

    Click link, takes me to reset password screen, with new password already filled in (RFH – test new password screen.png)

    Click link (save pw to roboform as RFHfitness – 1) – receive password reset confirmation screen (RFH – test confirmation of password reset screen.png)

    Click login and fill in details saved to roboform

    Takes me to customer details screen (RFH – test customer details screen.png) which only allows navigation around the customer pages and live site.

    https://ww.wp.xz.cn/plugins/login-security-solution/

Viewing 5 replies - 1 through 5 (of 5 total)
  • melissaschmitt

    (@melissaschmitt)

    10 years, 5 months ago

    Also locked out and can’t reset password. Reset via functions.php, but stuck in some kind of loop where logging in with the correct credentials puts me back at the login screen rather than the dashboard.

    peopleinside

    (@peopleinside)

    10 years, 4 months ago

    In my case the plug in seems work fine. I have tested a normal user reset password and works also log in.
    Sorry I really not idea and afraid to see here no reply from the plug in staff.

    This seems to be a great and very userfull plug in.

    I think if an user is locked if this user are an admin should be sent a link to email address for unlock the admin account so via email admin can unlock they user and help maybe to unlock, once logged in, user with issues.

    Plugin Author Daniel Convissor

    (@convissor)

    10 years, 4 months ago

    I have a feeling you’re behind a load balancer. To verify, SSH into your webserver. Invoke the MySQL client (mysql -u your_sql_user_name -p your_database_name). Then run this query:

    SELECT ip, COUNT(*) FROM wp_login_security_solution_fail
    GROUP BY ip ORDER BY COUNT(*) DESC;

    If you have only one row (or very few rows) show up, my hunch is right. To rectify that, please read the installation instructions. You can do so either via the readme.txt file in the plugin or at https://ww.wp.xz.cn/plugins/login-security-solution/installation/

    Thread Starter melric

    (@melric)

    10 years, 4 months ago

    Thanks everyone for your help & comments. I actualy resoled the issue shortly after posting by un-installing the plugin and replacing it with All In One WP Security.

    Please consider this issue resolved.

    Plugin Author Daniel Convissor

    (@convissor)

    10 years, 4 months ago

    For the record, Login Security Solution offers the best brute force detection. It checks for any combination of password, user name or IP range. All of the plugins I’ve examined, including All In One, only looks at the IP address. Over the past couple months, I’ve noticed that attackers have so many bots at their disposal that they use a different IP address for nearly every request.

    Real world example… One of my sites got 126 failed login attempts yesterday from 112 different IP addresses. These addresses aren’t even in the same IP range. This particular attacker’s control server picks three likely user names and one password then tells three bots to try one combination. Then it picks another password and has three _other_ bots try those combinations. Rinse and repeat. LSS stopped them. Other plugins don’t.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Locked Out’ is closed to new replies.