Limit Login Attempts Security — Login Security, 2FA, Firewall, Brute Force Prevention

Часто задаваемые вопросы

Что мне делать, если все пользователи заблокированы?

If you are using contemporary hosting, it’s likely your site uses a proxy domain service like CloudFlare, Sucuri, Nginx, etc. They replace your user’s IP address with their own. If the server where your site runs is not configured properly (this happens a lot) all users will get the same IP address. This also applies to bots and hackers. Therefore, locking one user will lead to locking everybody else out. If the plugin is not using our Cloud App, this can be adjusted using the Trusted IP Origin setting. The cloud service intelligently recognizes the non-standard IP origins and handles them correctly, even if your hosting provider does not.

Как узнать, подвергаюсь ли я атаке?

An easy way to check if the attack is legitimate is to copy the IP address from the lockout notification and check its location using a IP locator tool. If the location is not somewhere you recognize and you have received several failed login attempts, then you are likely being attacked. You might notice dozens or hundreds of IPs each day. Visit our website to learn how can you prevent brute force attacks on your website.

Как определить, что премиум-плагин работает?

After you upgrade to our premium version, you will see a new dashboard in your WordPress admin that shows all attacks that will now relay through our cloud service. On the graph, you’ll see requests and failed login attempts. Each request will represent the cloud app validating an IP, which also includes denied logins.

В некоторых случаях вы можете заметить увеличение скорости и эффективности работы вашего сайта. Кроме того, уменьшится количество уведомлений о блокировке по электронной почте.

Могут ли эти неудачные попытки входа в систему быть поддельными?

Some users find it hard to believe that they could experience numerous unsuccessful login attempts, particularly when their site has just been established or has minimal human traffic. The plugin is not responsible for generating these failed login attempts. Newly created websites are frequently hosted on shared IP addresses, making it easy for hackers to discover them. Additionally, newly registered domain names are often crawled soon after creation, rendering a WordPress website susceptible to attacks. Such websites are attractive targets as security is not a primary concern for their owners. We’ve created an article that delves deeper into the issue of fake login attempts in WordPress.

Что произойдет, если мой сайт превысит установленные планом лимиты запросов?

Ограничения на ресурсы в премиум-плане начинаются от 100 000 запросов в месяц, что позволяет выдержать практически любую мощную брутфорс-атаку. Мы следим за всеми нашими сайтами и предупреждаем пользователя о превышении лимита. Если лимиты превышены, мы предложим пользователю перейти на следующий тарифный план. Если вы используете бесплатную версию, то нагрузка, вызванная атаками грубой силы, будет поглощаться текущей пропускной способностью хостинга, что может привести к увеличению стоимости хостинга.

Какие URL-адреса подвергаются атакам и защищаются?

Защищаемые URL-адреса — это страница входа в систему (wp-login.php, wp-admin), xmlrpc.php, страница входа в систему WooCommerce, а также любая пользовательская страница входа в систему, использующая обычные крючки входа в WordPress.

Почему плагин Limit Login Attempts Security пользуется большей популярностью, чем другие плагины защиты от брутфорс-атак?

Our main focus is protecting your site from brute force attacks. This allows our plugin to be very lean and effective. It doesn’t require a lot of your web hosting resources and keeps your site well-protected. More importantly, it does all of this automatically as our service learns on its own about each IP it encounters. In contrast, a firewall would require manual blocking of IPs.

Что делать, если администратор заблокирован?

Open the site from another IP. You can do this from your cell phone, or using Opera browser and enabling free VPN there. You can also try turning off your router for a few minutes and then see if you get a different IP address. These will work if your hosting server is configured correctly. If that doesn’t work, connect to the site using FTP or your hosting control panel file manager. Navigate to wp-content/plugins/ and rename the limit-login-attempts-reloaded folder. Log in to the site then rename that folder back and whitelist your IP. By upgrading to our premium app, you will have the unlocking functionality right from the cloud so you’ll never have to deal with this issue.

Какие настройки я должен использовать в плагине?

Настройки подробно описаны в плагине. Если вы не уверены, используйте настройки по умолчанию, так как они рекомендуются.

Can I share the safelist/denylist throughout all of my sites?

By default, you will need to copy and paste the lists to each site manually. For the premium service, sites are grouped within the same private cloud account. Each site within that group can be configured if it shares its lockouts and access lists with other group members. The setting is located in the plugin’s interface. The default options are recommended.