Title: Possible issue Last modified: August 24, 2016 --- # Possible issue * Resolved [Handoko](https://wordpress.org/support/users/handoko-zhang/) * (@handoko-zhang) * [11 years, 1 month ago](https://wordpress.org/support/topic/possible-issue-1/) * This plugin sounds interesting, I have read the information about login cool- down system of this plugin. * I really want to try this plugin. But I can think of an issue that may happen if I install this plugin. * One of my website has been attacked by a single IP since 2 days ago. It access my /wp-login.php about 4 times every minutes. It has generated more than 10 thousands login attempts so far. * If I install Simple Security Firewall and set the Login Cooldown Interval = 60 seconds, chances I’m not not able to login will be high. Because someone just tried to login recently. But if I set the interval less than 15 seconds, this plugin is useless to slow down the login bots, isn’t it? * I build and monitor several websites, and I study their login bots’ patterns. They’re now more clever. They won’t come back in just seconds. Many of them will try to login again after several hours (using same IP). They’re persistent, only will give up after may days of trying. * [https://wordpress.org/plugins/wp-simple-firewall/](https://wordpress.org/plugins/wp-simple-firewall/) Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [11 years, 1 month ago](https://wordpress.org/support/topic/possible-issue-1/#post-6121829) * Spread over 2 days, 10,000 login attempts isn’t actually a lot… it sounds like a lot, but it’s hardly anything. This means they’re accessing about once ever 15-20s. That’s not a brute force attack. * Take a look at this: [http://math.stackexchange.com/questions/739874/how-many-possible-combinations-in-8-character-password](http://math.stackexchange.com/questions/739874/how-many-possible-combinations-in-8-character-password) * You will see that with even a “small” 8 character alphanumeric password, the possible permutations are HUGE. * 10,000… is hardly nothing. * The login protection cooldown fights proper brute force attacks very effectively since even with a 10s cooldown, it could take up to 567200 days to crack an 8- digit password. * That’s quite effective. Without a cooldown, you’re in trouble. * That’s assuming you even know the admin login username to attack. * If they’re giving up after a few days and they have a cooldown of 10-20s, they’re not going to get anywhere. * * Also, you could whitelist your own IP address so you’re not affected by the cooldown system. 🙂 * I hope that helps. Thanks, Paul. * Thread Starter [Handoko](https://wordpress.org/support/users/handoko-zhang/) * (@handoko-zhang) * [11 years, 1 month ago](https://wordpress.org/support/topic/possible-issue-1/#post-6121855) * Thanks for the reply. Okay, I missed the “whitelist IP feature”. But, what should I put if my internet provided doesn’t provide me a static IP? Also, what if I tried to login when I’m having vacation on other countries? * Yep, 10,000 login attempts isn’t much. The worst I ever had is 80,000 attempts coming together from 2 IPs attacking a single site. They all failed, but the thing I don’t like is they’re burdening my server and wasting the bandwidth. * So, what is you suggestion for the cooldown interval that is good for most cases? For you information, I haven’t install your plugin yet. * I’ve just checked my cPanel log, and I can see it’s still trying to login to one of my site. I was thinking to manually block it via htaccess. But I found you’re correct as you mentioned on your plugin’s description page that banning IPs isn’t a good idea. * Anyways, Simple Security Firewall seems to be a good security plugin. I’ll sure to try it someday. * Note: Providing some screenshot pictures will make more people want to try your plugin. Some people (including me) are too lazy to watch the 6 minutes introduction video. * Plugin Author [Paul](https://wordpress.org/support/users/paultgoodchild/) * (@paultgoodchild) * [11 years, 1 month ago](https://wordpress.org/support/topic/possible-issue-1/#post-6121884) * The login cooldown period is really up to you and how you think it best suits your site and its uses. I can’t say to be honest. I put it at 60s for my sites, but that suits my profile. * As to the bandwidth burden… unfortunately there’s not a lot to be done there about that. If the IP really is constant, you could temporarily ban it in your. htaccess, but as you know, this doesn’t scale. * As to the screenshots etc., you’re right, I can definitely do better to help people get started. You also need to put a higher priority on understanding the tools you use… it’s up to you. A security plugin doesn’t fix everything, it provides you the tools to do what you can to protect yourself, but you still have to know what you’re doing. But if 6 minutes is too long to learn a bit more about a security plugin, that’s not something I can fix. * Thanks for the feedback. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Possible issue’ is closed to new replies. * ![](https://ps.w.org/wp-simple-firewall/assets/icon-256x256.png?rev=3054572) * [Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning](https://wordpress.org/plugins/wp-simple-firewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-simple-firewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-simple-firewall/) * [Active Topics](https://wordpress.org/support/plugin/wp-simple-firewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-simple-firewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/) * 3 replies * 2 participants * Last reply from: [Paul](https://wordpress.org/support/users/paultgoodchild/) * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/possible-issue-1/#post-6121884) * Status: resolved