The Limit Login Attempts function of Really Simple SSL protects your site from login attempts by unauthorized users. When you enable Limit Login Attempts, all login attempts are logged and repeated attempts to login with invalid credentials will be blocked automatically.
By default, 5 invalid login attempts within 15 minutes will result in a 30 minute lockout of the offending ip address and/or username. All automatic lockouts are temporary and will be cleared after the configured lock-out duration. If a user or ip address is blocked temporarily and you do not want to wait for the lockout to be cleared automatically you can delete the temporary block from the Limit Login Attempts settings.
You can relax the settings if you encounter problems with excessive lockouts or tighten them if your site is under frequent attack. The interval en lockout duration can be set from 15 minutes to 1 day. The number of failed logins that will trigger a lockout can be set from 3 to 15 attempts.
You may be able to switch ip address to get around a lockout but your username will also be locked-out for the same period, so be careful using the maximum lockout duration. It is very common for attackers to try and login with the “admin” username, so this username will probably appear in your temporary blocklist a lot. If you are still using “admin” to login we recommend changing it using the “Block the username ‘admin'” toggle under Hardening.
Permanent Block and and “Trusted” lists
You can add ip addresses and usernames to the permanent list of blocked or trusted ip addresses and usernames by switching between the temporary blocklist, the permanent blocklist or trusted list using the dropdown menu.
If you want to block a username from logging in you can add that username to the permanent blocklist. You can add both existing and non-existing usernames. If you enter an existing username this will also affect the ability to login with the users e-mail address and vice versa. If you add a username to the “trusted” list this user can always log in, even when logging in from an ip address that is on the temporary or permanent blocklist. This feature can be used a way to be able to login even when your ip address is blocked, but using this option is not recommended because anyone that knows the login name would be able to circumvent the Limit Login Attempts protections. If you do use trusted usernames, make sure the username and corresponding e-mail address is kept a secret.
Ip addresses can be added as single IPv4 and IPv6 ip addresses or ranges in CIDR notation. Any ip address you add to the permanent blocklist will prevent anyone from logging in from that ip address. If you add an ip address to the “trusted” list, all Limit Login Attempt protections will be disabled when the login attempts are made from that ip address.
Regions (Geo IP blocking)
You can block users logging in from specific countries by adding those countries to the geo ip blocklist. Note: This will not affect regular visitors on your website, it only affects login attempts. If want want to block all countries from a specific continent you can do so by selecting “Continents” from the dropdown menu and then click “Block”. This will add all countries in the selected continent to the blocklist. To allow only logins from one or more specific countries, select all continents and click “Block”, then lookup the countries you want to allow logins from, and click “Allow”. You can search the lists for specific countries and sort by continent. Be careful not to block the country you are logging in from yourself. Any trusted ip addresses will overrule the geo ip blocklist.
The eventlog can be used to check on attempted logins and actions taken by the Limit Login Attempts protection. If one of your users is being blocked by the Limit Login Attempts protection, you should be able to find the reason here. You can search for usernames and ip adresses and sort by date, country and event type.