Login Lockdown is locking out localhost

Resolved coreymwinter123
(@coreymwinter123)

6 years, 10 months ago

I love this security plugin and have used it on numerous client websites, but I’ve noticed something strange with the Login Lockdown feature.

We’re getting a lot of brute force login attempts that are causing the localhost IP (127.0.0.1) to be locked out. This is preventing everyone from logging into the site until the lockdown time is over.

I would assume that this is not the intended behavior. Any help would be appreciated!

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Contributor mbrsolution
(@mbrsolution)

6 years, 10 months ago

Hi, do you have the following feature enabled Enable Login Lockdown Feature:? If you do what settings have you configured?

Do you have any features enabled under Brute Force tab?

Regards

Thread Starter coreymwinter123
(@coreymwinter123)

6 years, 10 months ago

Hi @mbrsolution!

We have Login Lockdown enabled. We have max login attempts set to 5, the retry period set to 5, and the length of lockout set to 60. You can see a screenshot of the full Login Lockdown settings here: https://blueprintstore.com/wp-content/uploads/2019/07/BP-LoginLockdownSettings.png

For the Brute Force settings, all we have enabled is the Basic Login Form Captcha and the Login Form Honeypot.

By looking at the Failed Login Records log, the Login Lockdown is seemingly doing it’s job. But once or twice a day, it will lockout IP address 127.0.0.1. When that happens, everyone is locked out and I have to rename the plugin folder in FTP so I can get back into the admin backend.
Plugin Contributor mbrsolution
(@mbrsolution)

6 years, 10 months ago
Hi, can you try something. Obviously the IP address 127.0.0.1 is the intranet IP address that everyone is currently using. If this is the case, can you whitelist 127.0.0.1 under User Login -> Login Lockdown?

Also make sure you don’t have the following feature Instantly Lockout Invalid Usernames: enabled?

Let me know if the above works.

Thank you
- This reply was modified 6 years, 10 months ago by mbrsolution.
Thread Starter coreymwinter123
(@coreymwinter123)

6 years, 10 months ago

Hey @mbrsolution ! Whitelisting 127.0.0.1 did the trick to prevent all users from being locked out, but I’m still seeing a LOT of bot login attempts coming from the 127.0.0.1 address in the log, which means that those attempts aren’t being blocked anymore.

This is the only client site where I’m seeing bots coming from the localhost IP, so at this point, I’m not sure if this is a problem related to the plugin configuration or something wrong with this specific website’s setup/host.

Plugin Contributor mbrsolution
(@mbrsolution)

6 years, 10 months ago

Hi, have you set up Rename Login Page feature in the plugin? This is located under Brute Force tab?

Regards

Plugin Contributor wpsolutions
(@wpsolutions)

6 years, 10 months ago

@coreymwinter123,
When you look in the “Failed Login Records” tab, are you seeing that the attempts which are coming from localhost are using the correct username or some other non-existent one?

What value is displayed for your IP address in the “Logged In Users” tab?

Does your webserver setup use Varnish for caching/proxy?

ctevwordpress
(@ctevwordpress)

6 years, 7 months ago

Was there a resolution to this? I am having the exact same problem, all addresses point to localhost and yes, using Varnish and have a proxy set up: Apache :443 -> Varnish: 8080 -> Apache: 8181.

“Logged In Users” tab shows all localhost.

Plugin Contributor mbrsolution
(@mbrsolution)

6 years, 7 months ago

@ctevwordpress, please create a new support thread. It is much easier for us to manage users issues. You are most welcome to add a reference to this support thread.

Thank you

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Login Lockdown is locking out localhost’ is closed to new replies.