to dir
cp/wp plugin: limit login attempts reloaded - NOTES             rev 13 oct 2022

Category: security
cp/wp: classicpress and wordpress 
webwalker: this type of plugin is essential; but maybe not this one. 
            (why not? can't remember)

.......................................................
description: 

  Blocks attempts on your wp-login.php, by ip number
  Can set it for number of tries allowed.

  Good summary of what it does, in this review on WordPress.org:
    https://wordpress.org/support/topic/great-little-plugin-but-some-confusion/

  Version recommendation: FREEZE - DO NOT UPDATE - no longer lean and mean.
    mar 2021 - new version adds many more features, separate menu item 
      with icon, ads for premium.
    feb 2022 - is getting problem reports in forum, with advice to
      stick with older version.

    they try to sell their premium version. That's why there are
    so many updates, which bring the plugin to the site owners
    attention (i.e. the useless mail notifications, now the menu
    item, nag screens etc.).
    The plugin got worse since they offer a "premium" version.
    -- mbaieri
    https://wordpress.org/support/topic/option-to-choose-where-the-menu-should-be/#post-14274370

.......................................................
sources:

  Plugin page:
    https://wordpress.org/plugins/limit-login-attempts-reloaded
    https://www.limitloginattempts.com/

  WordPress forums:
    https://wordpress.org/support/plugin/limit-login-attempts-reloaded
    https://wordpress.org/search/classicpress+limit-login-attempts/?forums=1
  ClassicPress forums:
    https://forums.classicpress.net/search?q=%22limit%20login%20attempts%22



_______________________________________________________ 
➽ Install/config/uninstall:


......................... 
install:

  the usual.


......................... 
settings:

  Under settings menu.

  All options and the logs are saved in the wp_options table
  [jun 2020]


.........................
uninstall:

  - deletes from database?

  tables: 
 


_______________________________________________________ 
➽ Notes:

  There is an original version "limit login attempts" which
    seems to be abandoned, last updated in 2002.
    WPChef has revived it as "Reloaded" in mid-2016
    and it has consistently had good support and reviews.

.........................
Lockout log: 

  - The 'GDPR' setting encrypts the displayed ip number.
      Untick it to be able to view real ip numbers.
        (Any past numbers will remain encrypted.)
      https://wordpress.org/support/topic/lockout-log-ip-addresses-are-not-standard-format/
      <d>19 jul 2019</d>
      
  - Clicking 'Unlock" button unlocks all the ip numbers?
      all were showing 'unlocked' anyway when i checked;
      click 'Unlock' disappeared the button, but didn't change status.
      <d>22 jul 2019</d>
      https://wordpress.org/support/topic/my-log-says-unlocked-what-does-it-mean/
        "Outdated lockouts get unlocked automatically after the time specified 
           in the plugin config. This has nothing to do with hackers, this is 
           just an indication for an admin that the IP is no longer locked."
        [16 may 2019]


.........................
How to unblock yourself:

  > The idea is to change your IP (which got blocked) and 
    log in using another IP. 
    Then unblock your blocked IP from the admin interface of the plugin.
  * Log in from another ISP, for example from your phone 
       using mobile Internet and not wifi. 
  Or 
  * Turn off your router (if any), wait for a few minutes 
      and then turn it on in hope that its IP changes. 

  > Last resort, through SFTP or SSH, rename the plugin folder to deactivate it.


.........................
 * problem: massive table bloat

    https://wordpress.org/support/topic/massive-database-table/
    table optimization/repair seemed to fix the problem.



.........................
 * What makes the IP unblocked?
     https://wordpress.org/support/topic/what-makes-the-ip-unblocked/
        [8 feb 2021]
     Good question, but no answer so far
        [28 feb 2021]

.........................
 * The time reported by the failed login attempts details the wrong timezone
     https://wordpress.org/support/topic/log-time-wrong-timezone/
        [17 feb 2021]
     Good question, but no answer so far
        [28 feb 2021]

.........................
 * Wrong timezone in logs
     https://wordpress.org/support/topic/log-time-wrong-timezone/
        [17 feb 2021]
     Good question, but no answer so far
        [28 feb 2021]

......................... 
* Notify multiple emails on lockout?
    LLA doesn't do it itself - only accepts one address.
    But you could make an email forwarder that could go to multiple emails.
    https://wordpress.org/support/topic/notify-multiple-emails-on-lockout/#post-14015284
    [7 feb 2021]


.......................................................
more info:


.......................................................
other plugins of same type:

  * Login LockDown
      https://wordpress.org/plugins/login-lockdown/
      100,000 installs
      updated to keep up with latest WP.

  * Loginizer
      https://wordpress.org/plugins/loginizer/
      1 million installs
      updated to keep up with latest WP.

  * Limit Login Attempts (the old one)
      https://wordpress.org/plugins/limit-login-attempts/
      1 million installs
      not updated since WP 2.8.


_______________________________________________________
begin 26 sep 2019