All In One WP Security And Firewall User Login helps you setup the following options login lockdown, force logout, login retry and much more.
Last Updated: September 8, 2022
Latest News: Updated the documentation.
User login is important to sites for administrators. It is also import if you allow user registration via WP Users. This at the same time allows hackers to attack the login page via brute force. In the login page, the attackers will attempt to repeat the login by trying to guess the password. They will carry out this action until they succeed. This is considered a brute force attack. By enabling all or some of the following features in the plugin you will reduce and stop these forced attacks.
Apart from choosing strong passwords, monitoring and blocking IP addresses which are involved in repeated login failures in a short period of time is a very effective way to stop these types of attacks. Remember that constant attempts are you login page will also affect your servers performance.
Note: Currently the plugin does not support IPV6 addresses for login lock down. Please read the following forum post. This is something the developers are currently working on.
What you need:
All In One WP Security And Firewall User Login
Step 1 ) Go to WP Security -> User Login admin tab as illustrated in the image below.
User Login
Step 2 ) The following image User Login allows you to set up the following login settings.
Note: Go to WP Security -> Dashboard -> Locked IP Addresses tab to see any IP addresses which is temporarily locked out due to the Login Lockdown feature.
User Login Settings
- Login Lockdown
- Failed Login Records
- Force Logout
- Account Activity Logs
- Logged In Users
- Additional Settings
Login Lockdown
Step 3 ) Go to WP Security -> User Login -> Login Lockdown to set up the following options. See image below.
This will add another 20 points score towards your security meter. (Basic Security Level)
Login Lockdown Part 1
- Enable Login Lockdown Feature
- Allow Unlock Requests
- Max Login Attempts = If you get too many lockouts from your users login in, then you might consider enabling Allow Unlock Request.
- Login Retry Time Period (min)
- Time Length of Lockout (min)
Remember: Always check your Account Activity Logs and Logged In Users to know more about what’s happening on your sites admin panel. Checking Logged In Users can be handy. If anyone is logged in, you can notify them if you are going to carry out any updating on your site.
Step 3-a ) The following image allows you to set up the following options.
Login Lockdown Part 2
- Display Generic Error Message = Check the following steps Step 3-b ) and Step 3-c ) below for more information.
- Instantly Lockout Invalid Usernames
- Instantly Lockout Specific Usernames = In this example the following usernames have been added to the list admin, www, bpm-go, bpmgo. This features comes in handy when you keep getting too many strange usernames trying to log into your site.
- Notify By Email
- Click on Save Settings button once you have completed the settings.
WordPress Default Error Message
Step 3-b ) The following image displays WordPress default error message.
Step 3-c ) The following image displays a generic message when the following feature Display Generic Error Message is enabled.
FAQ WordPress Default Error Message
Q1 Is there a way to customize the default error message displayed by WordPress?
Answer: Yes you should be able too by using the wordpress core filter for the errors. Check the following support thread for the solution.
Lost your password link
AIOWPS plugin does a great job at also protecting the Lost your password? link. If you are using one of the Brute Force features to rename the login URL, you must use the URL with the secret word to reset your password. If you don’t you will see an error message displayed on the screen. Also, the email sent to your inbox will also have the correct reset link as long as the person resetting the password is an administrator with administrative privileges.
================================
Login Lockdown IP Whitelist Settings
Step 3-d ) Go to WP Security -> User Login -> Login Lockdown -> Login Lockdown IP Whitelist Settings as illustrated in the image below to set up the following options.
Login Lockdown IP Whitelist Settings
- Enable Login Lockdown IP Whitelist
- Enter Whitelisted IP Addresses
- Click on Save Settings button once you have completed the settings.
Troubleshooting Login Lockdown
The following error message is displayed when someone has been locked out of your site when the following feature Enable Login Lockdown Feature is enabled.
ERROR: Access from your IP address has been blocked for security reasons. Please contact the administrator.
Solution: (Provided by wpsolutions in the forum)
– manually deactivate this plugin via FTP or log into your server and temporarily rename the plugin’s folder. Then once you are logged into your site, you can rename the folder back to it’s original name and unlock your self from the “Locked IP Addresses” tab in the aiowps dashboard menu.
OR,
1) If you have the login white list feature enabled? Try editing the .htaccess file manually and delete the block of code for that feature. (look for the markers “#AIOWPS_LOGIN_WHITELIST_START/END”)
2) Using PHPMyAdmin, go to the “aiowps_permanent_block” table and check if your IP address is listed in it. If it is delete that row.
3) Do the same as step 2) above for the table called “aiowps_login_lockdown“
Failed Login Records
Step 4 ) Go to WP Security -> User Login -> Failed Login Records. The following image displays a record from a failed login. This options helps keep track of what is going on on the back end of your website. You can choose to delete all obsolete records.
Failed Login Records Information
- Login IP Range
- User ID
- Username
- Date
Step 4-a ) The following image Export to CSV and Delete All Failed Login Records allow you to carry out the following options.
- Export to a CSV file all login records.
- You can delete all failed login records.
Troubleshooting Failed Login Records
Q1 How do I fix the following fatal error message when I go to view the failed login records?
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 90 bytes) in /sata1/home/users/malynrada/www/www.malyn-rada.gov.ua/wp-includes/wp-db.php on line 1889.
Solution: Check the following support thread for a possible solution.
==========
Q2 Why do I see the following username [login] instead of a name?
Solution: This can happen if you are using cloudflare or a similar service and set up the wrong server variable. Check the following support thread for more information.
FAQ Failed Login Records
Q1 Is there a way to delete all failed login records from all the sites on a multi-site network at once?
Answer: Short answer is no there isn’t. But there is a filter hook which controls how many rows are kept in the aiowps_failed_logins table. Please check the following support thread for more information.
================================
Force Logout
Step 5 ) Go to WP Security -> User Login -> Force Logout. The following security option is very useful. If you don’t want your users to stay logged in for too long you can set the time here in minutes. In this example the time is set to 60 minutes “1 hour”.
This will add another 5 points score towards your security meter. (Basic Security Level)
Force Logout Options
- Enable Force WP User Logout:
- Logout the WP User After XX Minutes:
- Click on Save Settings button once you have completed the settings.
Account Activity Logs
Step 6 ) Go to WP Security -> User Login -> Account Activity Logs tab to check the activities for users registered and have logged into your website.
Account Activity Logs Options
- You can search through the list of logged users.
- You can select a number of users and delete them from the list.
Step 6-a ) The following image Export to CSV allows you to export the log file into a csv file. This can be very handy to use when you need to investigate the loggings.
Account Activity Logs Options
- You can export the log file into a CSV file by clicking on Export to CSV button.
Logged In Users
Step 7 ) Go to WP Security -> User Login -> Current Logged In Users tab to check all the users that are currently logged into your website and allows you to Force Logout the user especially if you think or know it is a suspicious user. The following information is displayed for your perusal.
- User ID = Force Logout
- Login Name
- IP Address
Troubleshooting Logged In Users
Q1 When I log into my site, I see the same logged in user twice. Why is that?
Solution: Check the following support thread for a possible solution.
Additional Settings
Step 8 ) Go to WP Security -> User Login -> Additional Settings tab to manage the application password option in the site.
This will add another 10 points score towards your security meter. (Basic Security Level)
Additional Settings Options
- Disable Application Password.
- Click on Save Settings button once you have completed the settings.
=============================
Click on the following link User Registration to continue configuring the plugins settings.
If you have any questions please let me know
Enjoy.
All In One WP Security & Firewall Plugin Tutorial List
I have been working in IT since 1999 and I enjoy the challenges it brings me. I love developing websites with WordPress. I spend a lot of time helping out in wordpress.org forums. I have been writing tutorials since 2011. Now I am learning how to manage my own VPS "Virtual Private Server.