Login security not locking out brute force attempts?

[hangojango]

Hi there,

I’ve got a plugin installed that shows me recent changes to my multisite via Dashboard home. It’s called Simple History.

It shows me that there are numerous brute force login attempts on my site, even though I’ve set BPro max login attempts to 3 and lockout times to 600 minutes. Unfortunately Simple History shows me that this isn’t working as the same username is making numerous attempts within a single hour. (Too many to list.) I’d attach screenshots if that made it clearer.

Any ideas? Am I missing something?

[AITpro Admin]

Is the username a valid user account on your website?  Only valid user accounts will be locked out.  Any username that is not a valid user account cannot login to your site.

[hangojango]

Yes it’s valid. In fact it’s the Super Admin name.

[AITpro Admin]

Do you have any other plugins installed that handle logins or login security?  Do you have a custom login page?

[hangojango]

I use a plugin that white labels both the Dashboard and login experience for users on subsites. It’s called White Label CMS.

The URL for login is
https://domain.com/wp-admin (as usual)
and this then redirects to
https://domain.com/wp-login.php?redirect_to=https%3A%2F%2Fstorytappy.com%2Fwp-admin%2F&reauth=1

Not sure if that is relevant in any way.

I’m actually planning to kill the remaining subsite and convert to single site (instead of multisite) so this plugin is not so necessary anymore. If you think it could be interfering with login security, I’ll disable it sooner.

[AITpro Admin]

Do some testing to see if things are actually working correctly.  Use another user account so you don’t lock yourself out of your site or change the lockout time to 1 minute. Then see if BPS Login Security is actually working or not.  I am off to my day job and will return at 5pm PST.

[Author]

Posts